Please release xml2js 0.4.24 including the security fix of 0.5.0 - important

[lorand-horvath]

@Leonidas-from-XIV There has been a stream of issues coming in mainly from JIMP users due to the transient dependency on xml2js via ^0.4 which doesn't bump up to the fixed version 0.5. Please see https://github.com/mattdesl/parse-bmfont-xml/pull/4 and https://github.com/mattdesl/parse-bmfont-xml/issues/6 and https://github.com/jimp-dev/jimp/issues/1223 for more details.

The problem is that @mattdesl the developer of parse-bmfont-xml is unreachable. So a quick fix to these problems would be for you to release a xml2js@0.4.24 version (with the same content as 0.5.0) which would then be picked up when reinstalling JIMP via transient parse-bmfont-xml.

Thanks a lot!

PS: I take note of the discussion following your observation of a possible breaking change when going from 0.4.23 to 0.5.0 https://github.com/Leonidas-from-XIV/node-xml2js/issues/667#issuecomment-1506587528

[Leonidas-from-XIV]

I don't think I can do that because instead of keeping some packages at old versions (which can be overridden using npm and depending on the package might work) it would potentially break every single dependency.

So the best I can suggest is to either override it (if possible, given some changes are indeed backwards incompatible) or fork parse-bmfont-xml and update the code.

[lorand-horvath]

@Leonidas-from-XIV I used an override in package.json, which is working just fine:

  "overrides": {
    "jimp": {
      "xml2js": "^0.5.0"
    }
  }

[Leonidas-from-XIV]

Yes, in this case it works but that's not true of all the packages that depend on xml2js unfortunately.

[lorand-horvath]

Fixed in https://github.com/mattdesl/parse-bmfont-xml/pull/4