xml2js security issue for version 0.2.8 in azure-storage - Githubissues

Azure / azure-storage-node

Microsoft Azure Storage SDK for Node.js

http://azure.github.io/azure-storage-node/

Apache License 2.0

495 stars 226 forks source link

xml2js security issue for version 0.2.8 in azure-storage #741

Open saileerane opened 9 months ago

saileerane commented 9 months ago

For latest features support, please switch to Azure Storage JavaScript SDK V10.

Which service(blob, file, queue, table) does this issue concern?

The issue is caused by the xml2js@0.2.8 version. This needs to be updated to xml2js@0.5.0 in azure-storage@2.10.7

Which version of the SDK was used?

azure-storage@2.10.7

What's the Node.js/Browser version?

node 18

What problem was encountered?

xml2js@0.2.8 introduces security vulnerabilities which can be fixed by upgrading to xml2js@0.5.0

Steps to reproduce the issue?

Install azure-storage@2.10.7 and check dependencies for xml2js

Have you found a mitigation/solution?

Upgrade xml2js to 0.5.0 version

sm3sher commented 3 weeks ago

You should not use this library as there won't be any updates.

If there is a severe security issue take a look into SECURITY.md as it states:

Please do not report security vulnerabilities through public GitHub issues. Instead, please report them to the Microsoft Security Response Center (MSRC) at https://msrc.microsoft.com/create-report.