Increase the version of xml-2-js in bubblewrap cli package to eliminate the vulnerability #779
Comments
|
This dependency is brought in via jimp, and the latest 0.22.7 version is not yet using xml2js@0.5.x |
|
This is blocked on jimp-dev/jimp#1223, which is blocked on mattdesl/parse-bmfont-xml#4. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
We are using @bubblewrap/cli@1.19.1 which brings xml2js inside and our dependabot raised the issue below.
The latest possible version that can be installed is 0.4.23 because of the following conflicting dependency:
@bubblewrap/cli@1.19.1 requires xml2js@^0.4.5 via a transitive dependency on parse-bmfont-xml@1.1.4
The earliest fixed version is 0.5.0.
xml2js versions before 0.5.0 allows an external attacker to edit or add new properties to an object. This is possible because the application does not properly validate incoming JSON keys, thus allowing the proto property to be edited.
Releasing a newer version of bubblewrap/cli will help users to avoid this security concern.
The text was updated successfully, but these errors were encountered: