Comments (8)
I am a bit confused because in the report you link 0.5.0 is reported as fixed. Maybe something in your dependencies is requiring an old version of xml2js?
from node-xml2js.
Hi
I am having this issue as well and have 0.5.0 installed:
Moderate xml2js is vulnerable to prototype pollution
Package xml2js
Patched in >=0.5.0
Could you offer any advice?
from node-xml2js.
from node-xml2js.
Hi,
In my node project (v14.21.1) i have a bunch of packages (below). When i deply into dev ops, it does an npm audit which then fails the pipeline. In vscode locally, i run npm audit and see the same.
Extract from package.json -
"dependencies": {
"axios": "^0.27.2",
"change-case": "4.1.2",
"dist-exiftool": "^10.53.0",
"fs": "^0.0.1-security",
"mammoth": "^1.4.21",
"node-exiftool": "^2.3.0",
"node-html-parser": "^6.1.0",
"office-document-properties": "^1.1.0",
"pdf-parse": "^1.1.1",
"sha3": "2.1.4",
"stream": "^0.0.2",
"uuid-base62": "^0.1.0",
"winston": "^3.8.1",
"xml2js": "^0.5.0",
"zip": "1.2.0"
},
I removed node_modules and package-lock, npm i but get the same result.
from node-xml2js.
Report states:
Moderate xml2js is vulnerable to prototype pollution
Package xml2js
Patched in >=0.5.0
Dependency of office-document-properties
Path office-document-properties > xml2js
More info GHSA-776f-qx25-q3cc
found 1 moderate severity vulnerability in 512 scanned packages
1 vulnerability requires manual review. See the full report for details.
from node-xml2js.
The report linked states that 0.5.0 is correct, so I assume there must be a bug in the reporting tool.
from node-xml2js.
Would you have any idea on best approach to get around this?
Thanks
from node-xml2js.
Hi, I sorted it by manually updating package-lock which was still referencing a dependency on 0.4.23 - set to 0.5.0 and now the audit is fine.
Thanks
from node-xml2js.
Related Issues (20)
- Regressions when trying to update to 0.5.0 HOT 3
- Options
- Error: Unexpected Close Tag HOT 2
- XML elements "<constructor>" ignored since 0.6.0 HOT 10
- Screenshot (Jun 25, 2023 09:28:59) HOT 1
- IMG_20230617_112451134_BURST000_COVER.jpg
- Potential Security Vulnerabilities Detected in Package
- Are all properties now intended to be readonly since `v0.6.1`? Error "TypeError: Cannot assign to read only property 'OtherProperty' of object '#<Object>'" after the update HOT 3
- xml2js documentation/changelogs HOT 1
- Is there a best practice method to getting the featured image of an rss feed post?
- Multiple child tags are created while converting to xml HOT 1
- this.removeAllListeners is not a function HOT 5
- xml2js.bc.js file in npm package HOT 2
- Error occurs when using empty nodes: Text data outside of root node HOT 3
- parseNumbers returns NaN on empty strings. HOT 2
- return parsed object instead of string ? HOT 3
- Missing Copyright license holder HOT 1
- Typescript definitions in DefinitelyTyped repo is updated with version 0.6.x? HOT 3
- XML escape characters are converting while converting XML to JSON
- non-breaking space trips up the parser
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from node-xml2js.