fix: update validator dep. to get fix for CVE-2025-56200

https://nvd.nist.gov/vuln/detail/CVE-2025-56200
2025-12-16 13:30:23 +01:00 · 2025-11-20 09:02:17 -05:00
parent 12dab84914
commit af477d0c2d
2 changed files with 9 additions and 1 deletions
--- a/install/package.json
+++ b/install/package.json
@@ -148,7 +148,7 @@
        "toobusy-js": "0.5.1",
        "tough-cookie": "6.0.0",
        "undici": "^7.10.0",
-        "validator": "13.15.15",
+        "validator": "13.15.23",
        "webpack": "5.102.0",
        "webpack-merge": "6.0.1",
        "winston": "3.17.0",
--- a/test/user/custom-fields.js
+++ b/test/user/custom-fields.js
@@ -88,6 +88,14 @@ describe('custom user fields', () => {
 			{ message: '[[error:custom-user-field-invalid-link, Website]]' },
 		);

+		await assert.rejects(
+			user.updateProfile(highRepUid, {
+				uid: highRepUid,
+				website: 'javascript:alert("xss")',
+			}),
+			{ message: '[[error:custom-user-field-invalid-link, Website]]' },
+		);
+
 		await assert.rejects(
 			user.updateProfile(highRepUid, {
 				uid: highRepUid,