[x3d-public] Patched X3DJSONLD — security vulnerability in three.is
John Carlson
yottzumm at gmail.com
Thu Jan 27 08:52:00 PST 2022
Also be aware that this is a cross-site scripting vulnerability in
three.js, a new message.
On Thu, Jan 27, 2022 at 10:23 AM John Carlson <yottzumm at gmail.com> wrote:
> The package-lock.json in X3DJSONLD referred to three.js 0.136.0 which had
> a security vulnerability in it. Dependabot did an automated pull request
> and updated the dependency to 0.137.0.
>
> Be sure to upgrade all the versions of three.js that are public facing.
> I will be working on a new production version of X3DJSONLD for the
> coderextreme.net site today.
>
> I am fairly sure the X3D JSON validator does not use three.js, but browse
> safely today, there may be lots of 3D sites being patched!
>
> Thanks!
>
> John
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://web3d.org/pipermail/x3d-public_web3d.org/attachments/20220127/dde8e8b9/attachment.html>
More information about the x3d-public
mailing list