Skip to content

Component Governance issues reported on Omnichannel ADO repos #4183

New issue
New issue
Closed
#4123
Closed
Component Governance issues reported on Omnichannel ADO repos#4183
#4123
Labels
Bot ServicesRequired for internal Azure reporting. Do not delete. Do not change color.bugIndicates an unexpected problem or an unintended behavior.customer-reportedRequired for internal Azure reporting. Do not delete.
@charliewang95

Description

@charliewang95
charliewang95
opened on Feb 23, 2022

Please view our Technical Support Guide before filing a new issue.

Screenshots

image
image

Version

4.14.1

Describe the bug

Description
The package nanoid before 3.1.31 are vulnerable to Information Exposure via the valueOf() function which allows to reproduce the last id generated.

Root dependencies for nanoid
postcss
8.3.11
botframework-webchat
4.14.1

Recommendation
Upgrade nanoid from 3.1.30 to 3.1.31 to fix the vulnerability.

Description
Authorization Bypass Through User-Controlled Key in NPM url-parse prior to 1.5.9.

Root dependencies for url-parse
botframework-webchat
4.14.1

Recommendation
Upgrade to version url-parse - 1.5.9

Steps to reproduce

N/A

Expected behavior

ADO doesn't generate these warnings for webchat packages

Additional context

[Bug]

Metadata

Metadata

Assignees

No one assigned

    Labels

    Bot ServicesRequired for internal Azure reporting. Do not delete. Do not change color.bugIndicates an unexpected problem or an unintended behavior.customer-reportedRequired for internal Azure reporting. Do not delete.

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions