[Bug] Security vulnerability in [email protected] (used by VSCode & Monaco)

[aleixsuau]

Reproducible in vscode.dev or in VS Code Desktop?

• [X] Not reproducible in vscode.dev or VS Code Desktop

Reproducible in the monaco editor playground?

• [X] Not reproducible in the monaco editor playground

Monaco Editor Playground Link

No response

Monaco Editor Playground Code

No response

Reproduction Steps

No response

Actual (Problematic) Behavior

Our OWASP scan detected an issue in [email protected] CVE-2024-45801 which seems to be used by the Monaco editor (VSCode): https://github.com/microsoft/vscode/blob/main/src/vs/base/browser/dompurify/dompurify.js

Please update to [email protected] to get rid of that vulnerability.

Thanks

Expected Behavior

There should be no vulnerability issues.

Additional Context

No response

[jshawl]

It looks like DOMPurify was bumped here https://github.com/microsoft/vscode/pull/228773/files but not yet vendored like in this other DOMPurify bump PR - https://github.com/microsoft/vscode/pull/189368/files

[jasonparallel]

@rzhao271 Just wanted to at you as you merged in the version update for DOMPurify

[PavPav]

Looks like one more CVE is found now CVE-2024-47875, but still updating to [email protected] should solve an issue

[mjbvz]

This pr will bump to the currently latest release (3.1.7): https://github.com/microsoft/vscode/pull/230250

[mjbvz]

Closing as upstream change in VS Code has been merged

[acherkashin]

@mjbvz thank you for fixing the issue 👍.

Do you happen to know when 0.53 monaco-editor version will be released with the vulnerability fix?

[aleixsuau]

Hi, when do you plan to release the fix in the Monaco-editor?

Thanks

[acherkashin]

@aleixsuau it is tracked in https://github.com/microsoft/monaco-editor/issues/4738, no idea when it will be released unfortunately