GMS-2022-7288: sweetalert2 v11.4.9 and above contains hidden functionality

November 23, 2022 (updated July 10, 2023)

sweetalert2 versions 11.4.9 and above is vulnerable to hidden functionality that was introduced by the maintainer. The package outputs audio and/or video messages that do not pertain to the functionality of the package and is not included in versions 11.0.0 - 11.4.8.

Workaround

Use a version 11.0.0 - 11.4.8 of the package until the maintainer releases a fix.

References

github.com/advisories/GHSA-qq6h-5g6j-q3cm
github.com/sweetalert2/sweetalert2/releases/tag/v11.4.9
www.npmjs.com/package/sweetalert2

Detect and mitigate GMS-2022-7288 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →