Avoid proto pollution - Githubissues

Leonidas-from-XIV / node-xml2js

XML to JavaScript object converter.

MIT License

4.84k stars 596 forks source link

Avoid proto pollution #673

Closed JordanDelcros closed 11 months ago

JordanDelcros commented 1 year ago

Hi mate, I am using CapacitorJS that depends on you so thanks for your work. Im just letting you know that your dependency is listed as a high severity vulnerability even on your last version for prototype pollution.

# npm audit report

xml2js  <0.5.0
Severity: high
xml2js is vulnerable to prototype pollution  - https://github.com/advisories/GHSA-776f-qx25-q3cc

Thanks for reading!

Leonidas-from-XIV commented 1 year ago

I am a bit confused because in the report you link 0.5.0 is reported as fixed. Maybe something in your dependencies is requiring an old version of xml2js?

cstanleyhns commented 1 year ago

I am having this issue as well and have 0.5.0 installed:

Moderate xml2js is vulnerable to prototype pollution
Package xml2js
Patched in >=0.5.0

Could you offer any advice?

Leonidas-from-XIV commented 1 year ago

Where are you getting the report from?

cstanleyhns commented 1 year ago

Hi,

In my node project (v14.21.1) i have a bunch of packages (below). When i deply into dev ops, it does an npm audit which then fails the pipeline. In vscode locally, i run npm audit and see the same.

Extract from package.json -

"dependencies": { "axios": "^0.27.2", "change-case": "4.1.2", "dist-exiftool": "^10.53.0", "fs": "^0.0.1-security", "mammoth": "^1.4.21", "node-exiftool": "^2.3.0", "node-html-parser": "^6.1.0", "office-document-properties": "^1.1.0", "pdf-parse": "^1.1.1", "sha3": "2.1.4", "stream": "^0.0.2", "uuid-base62": "^0.1.0", "winston": "^3.8.1", "xml2js": "^0.5.0", "zip": "1.2.0" },

I removed node_modules and package-lock, npm i but get the same result.

cstanleyhns commented 1 year ago

Report states:

Moderate xml2js is vulnerable to prototype pollution

Package xml2js

Patched in >=0.5.0

Dependency of office-document-properties

Path office-document-properties > xml2js

More info https://github.com/advisories/GHSA-776f-qx25-q3cc

found 1 moderate severity vulnerability in 512 scanned packages 1 vulnerability requires manual review. See the full report for details.

Leonidas-from-XIV commented 1 year ago

The report linked states that 0.5.0 is correct, so I assume there must be a bug in the reporting tool.

cstanleyhns commented 1 year ago

Would you have any idea on best approach to get around this?

Thanks

cstanleyhns commented 1 year ago

Hi, I sorted it by manually updating package-lock which was still referencing a dependency on 0.4.23 - set to 0.5.0 and now the audit is fine.

Thanks