Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

security vulnerability in dependency xml2js #6

Closed
ctbaird opened this issue Apr 14, 2023 · 7 comments · May be fixed by #5
Closed

security vulnerability in dependency xml2js #6

ctbaird opened this issue Apr 14, 2023 · 7 comments · May be fixed by #5

Comments

@ctbaird
Copy link

ctbaird commented Apr 14, 2023

This package depends on vulnerable versions of xml2js. xml2js should be updated to v0.5.0

From npm audit:

xml2js  <0.5.0
Severity: high
xml2js is vulnerable to prototype pollution  - https://github.com/advisories/GHSA-776f-qx25-q3cc
@ctbaird ctbaird mentioned this issue Apr 14, 2023
Open
@lorand-horvath
Copy link

@mattdesl Please take a look at this and update xml2js to 0.5.0. Thanks!

@edi9999 edi9999 mentioned this issue Apr 19, 2023
Closed
@lorand-horvath lorand-horvath mentioned this issue Apr 20, 2023
Closed
@lorand-horvath
Copy link

@mattdesl xml2js 0.6.0 is available https://github.com/Leonidas-from-XIV/node-xml2js/tags
Would you take a look at updating the vulnerable version 0.4.5 ? Would very much appreciate any input!

@Willibaur
Copy link

Do we know when this update will happen @lorand-horvath @mattdesl
Thanks

@lorand-horvath
Copy link

@mattdesl doesn't seem to be responding at all. I've launched several requests in his direction, but haven't received any response yet. He is active on github though... his commits in May: https://github.com/mattdesl?tab=overview&from=2023-05-01&to=2023-05-31
However, since June the commits are only in private repos: https://github.com/mattdesl?tab=overview&from=2023-06-01&to=2023-06-26
Very strange, to say the least!

@pumano
Copy link

pumano commented Dec 29, 2023

@mattdesl plz look into it and merge pull request

@lorand-horvath
Copy link

Fixed in #4

@mattdesl
Copy link
Owner

should be sorted now!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

chore: update packages (fixes xml2js vulnerability) bakasmarius/parse-bmfont-xml
5 participants
@mattdesl @Willibaur @pumano @ctbaird @lorand-horvath