Closed lukewang2018 closed 1 year ago
@lukewang2018 Upgrade xml2js
version to latest0.5.0
.
@MChuduk Thanks a lot for your quick fixing!
@lukewang2018 You're welcome.
Due to the tags in GitHub, npm/yarn/GitHub might be confused as to what the latest non-beta release is. Manually setting the version to 0.5.0 does resolve the security issue. Please update the Tags in GitHub?
I tried to use version 0.5.0 in package.json and installed but still observing the security vulnerability CVE-2023-0842. Is anyone else facing the same vulnerability issue in 0.5.0
@Leonidas-from-XIV Can you please advise
Hi @sachindkagrawal18 I had the same problem, as of NPM cli 8.3 there is a new property called overrides that can do the trick while the new version is properly released. Just add this snippet on your package.json
"overrides": {
"officeparser": {
"xml2js": "0.5.0"
}
}
That worked for me :D
Bro dependabot was annoying me this whole time just because of this! haha
@Leonidas-from-XIV any chance of backporting the fix to 0.4
? xml2js
is pulled in from a deep transitive dependency, and getting every dependency to upgrade isn't gonna be quick.
I know I can force a newer version, but it's hard to say if that's safe without a changelog of some sorts. And regardless, forcing every consumer (14M weekly downloads) to do so seems a bit much.
@SimenB I don't think it's possible, as the fix is a backwards-incompatible change (#603), at least depending on how you use the object that gets returned (if you just use it as a data object . I first thought it could be mitigated in an easier way to stay in the 0.4 series, but this looks like a game of whack-a-mole.
If you have a PR that would fix the issue in a compatible way, I am perfectly happy to add another release to the 0.4 series.
But you can use overrides to force dependencies to use newer versions, maybe that helps?
[ Security] [CVE-2023-0842] xml2js is vulnerable to prototype pollution
Can someone help fix this security issue? Thanks.
Refer to https://github.com/advisories/GHSA-776f-qx25-q3cc
Affected versions <= 0.4.23
Description xml2js version 0.4.23 allows an external attacker to edit or add new properties to an object. This is possible because the application does not properly validate incoming JSON keys, thus allowing the proto property to be edited. References