search

GoogleChromeLabs / bubblewrap

Bubblewrap is a Command Line Interface (CLI) that helps developers to create a Project for an Android application that launches an existing Progressive Web App (PWAs) using a Trusted Web Activity.
Apache License 2.0
2.36k stars 161 forks source link

Increase the version of xml-2-js in bubblewrap cli package to eliminate the vulnerability #779

Open ahmetcetin39 opened 1 year ago

ahmetcetin39 commented 1 year ago

We are using @bubblewrap/cli@1.19.1 which brings xml2js inside and our dependabot raised the issue below.

The latest possible version that can be installed is 0.4.23 because of the following conflicting dependency: @bubblewrap/cli@1.19.1 requires xml2js@^0.4.5 via a transitive dependency on parse-bmfont-xml@1.1.4 The earliest fixed version is 0.5.0.

xml2js versions before 0.5.0 allows an external attacker to edit or add new properties to an object. This is possible because the application does not properly validate incoming JSON keys, thus allowing the proto property to be edited.

Releasing a newer version of bubblewrap/cli will help users to avoid this security concern.

andreban commented 1 year ago

This dependency is brought in via jimp, and the latest 0.22.7 version is not yet using xml2js@0.5.x

andreban commented 1 year ago

This is blocked on https://github.com/jimp-dev/jimp/issues/1223, which is blocked on https://github.com/mattdesl/parse-bmfont-xml/pull/4.