Skip to content

Navigation Menu

Sign in

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly
Appearance settings

web-profiler-bundle - retire.js reports DOMPurify 3.0.9 has known vulnerabilities #59852

New issue
Copy link
New issue
Copy link
Open
Open
web-profiler-bundle - retire.js reports DOMPurify 3.0.9 has known vulnerabilities#59852
Copy link
Labels
BugStatus: Needs ReviewWebProfilerBundle
@pauljura

Description

@pauljura
pauljura
opened on Feb 25, 2025
Issue body actions

Symfony version(s) affected

7.2.3

Description

Hi team,

I'm using retire.js to scan for vulnerabilities in my project and it reports that vendor/symfony/web-profiler-bundle/Resources/views/Script/Mermaid/mermaid-flowchart-v2.min.js includes DOMPurify 3.0.9 which in turn has known vulnerabilities.

I know that web-profiler-bundle is only in dev, but I run the retire command in dev, and the client wants to see it report no vulnerabilities in my project.

Any chance of updating web-profiler-bundle to use a more recent version of Mermaid? Thanks

How to reproduce

  1. Create a new Symfony project
  2. Install retire.js with npm install -g retire
  3. Run retire

Possible Solution

No response

Additional Context

No response

Metadata

Metadata

Assignees

No one assigned

    Labels

    BugStatus: Needs ReviewWebProfilerBundle

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions
      Morty Proxy This is a proxified and sanitized view of the page, visit original site.