js-yaml (prior to 3.13.0) security vulnerability

[yuanstanley]

Looks like js-yaml 3.12.1, which my security scan says Plotly depends on, has a Denial of Service security vulnerability. A yarn why seems to indicate that it's coming from plotly.js -> mapbox-gl -> gray-matter.

Info on the js-yaml security vulnerability - https://www.npmjs.com/advisories/788

[k-sai-kiranmayee]

@etpinard Even if I upgraded plotly.js to 1.48.1, still could see the vulnerability, might be because of the inner libraries, it is still showing the js-yaml's version as 3.12.0

Could you please have a look.

[etpinard]

We're listing js-yaml as:

plotly.js/package-lock.json

Lines 6473 to 6488 in 7a1ed7b

	"js-yaml": {
	"version": "3.13.0",
	"resolved": "https://registry.npmjs.org/js-yaml/-/js-yaml-3.13.0.tgz",
	"integrity": "sha512-pZZoSxcCYco+DIKBTimr67J6Hy+EYGZDY/HCWC+iAEA9h1ByhMXAIVUXMcMFpOCxQ/xjXmPI2MkDL5HRm5eFrQ==",
	"requires": {
	"argparse": "^1.0.7",
	"esprima": "^4.0.0"
	},
	"dependencies": {
	"esprima": {
	"version": "4.0.1",
	"resolved": "https://registry.npmjs.org/esprima/-/esprima-4.0.1.tgz",
	"integrity": "sha512-eGuFFw7Upda+g4p+QHvnW0RyTX/SVeJBDM/gCtMARO0cLuT2HcEKnTPvhjV6aGeqrCB/sbNop0Kszm0jsaWU4A=="
	}
	}
	},

Could you tell how you're installing plotly.js?

[k-sai-kiranmayee]

@etpinard I'm installing it through npm install plotly.js.