GMS-2019-67: Cross-Site Scripting in webpack-bundle-analyzer

May 23, 2019 (updated August 4, 2021)

Versions of webpack-bundle-analyzer are vulnerable to Cross-Site Scripting. The package uses JSON.stringify() without properly escaping input which may lead to Cross-Site Scripting.

References

github.com/advisories/GHSA-pgr8-jg6h-8gw6
github.com/webpack-contrib/webpack-bundle-analyzer/issues/263
github.com/webpack-contrib/webpack-bundle-analyzer/pull/264
snyk.io/vuln/SNYK-JS-WEBPACKBUNDLEANALYZER-174190
www.npmjs.com/advisories/826

Code Behaviors & Features

Detect and mitigate GMS-2019-67 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →