Avoid proto pollution about node-xml2js HOT 8 CLOSED

I am a bit confused because in the report you link 0.5.0 is reported as fixed. Maybe something in your dependencies is requiring an old version of xml2js?

from node-xml2js.

Hi

I am having this issue as well and have 0.5.0 installed:

Moderate xml2js is vulnerable to prototype pollution
Package xml2js
Patched in >=0.5.0

Could you offer any advice?

from node-xml2js.

from node-xml2js.

Hi,

In my node project (v14.21.1) i have a bunch of packages (below). When i deply into dev ops, it does an npm audit which then fails the pipeline. In vscode locally, i run npm audit and see the same.

Extract from package.json -

"dependencies": {
"axios": "^0.27.2",
"change-case": "4.1.2",
"dist-exiftool": "^10.53.0",
"fs": "^0.0.1-security",
"mammoth": "^1.4.21",
"node-exiftool": "^2.3.0",
"node-html-parser": "^6.1.0",
"office-document-properties": "^1.1.0",
"pdf-parse": "^1.1.1",
"sha3": "2.1.4",
"stream": "^0.0.2",
"uuid-base62": "^0.1.0",
"winston": "^3.8.1",
"xml2js": "^0.5.0",
"zip": "1.2.0"
},

I removed node_modules and package-lock, npm i but get the same result.

from node-xml2js.

Report states:

Moderate xml2js is vulnerable to prototype pollution

Package xml2js

Patched in >=0.5.0

Dependency of office-document-properties

Path office-document-properties > xml2js

More info GHSA-776f-qx25-q3cc

found 1 moderate severity vulnerability in 512 scanned packages
1 vulnerability requires manual review. See the full report for details.

from node-xml2js.

The report linked states that 0.5.0 is correct, so I assume there must be a bug in the reporting tool.

from node-xml2js.

Would you have any idea on best approach to get around this?

Thanks

from node-xml2js.

Hi, I sorted it by manually updating package-lock which was still referencing a dependency on 0.4.23 - set to 0.5.0 and now the audit is fine.

Thanks

from node-xml2js.