console-feed prior to 2.8.10 are vulnerable to Cross-Site Scripting (XSS). The package fails to properly escape the rendered output. If an application uses
console.log('%_', payload) call, the package would render HTML containing the malicious payload.
Upgrade to version 2.8.10 or later.
publishedAdvisory PublishedJul 26th, 2019
reportedReported by Sam DentyJul 23rd, 2019