Closed JordanDelcros closed 11 months ago
I am a bit confused because in the report you link 0.5.0 is reported as fixed. Maybe something in your dependencies is requiring an old version of xml2js?
Hi
I am having this issue as well and have 0.5.0 installed:
Moderate xml2js is vulnerable to prototype pollution
Package xml2js
Patched in >=0.5.0
Could you offer any advice?
Where are you getting the report from?
Hi,
In my node project (v14.21.1) i have a bunch of packages (below). When i deply into dev ops, it does an npm audit which then fails the pipeline. In vscode locally, i run npm audit and see the same.
Extract from package.json -
"dependencies": { "axios": "^0.27.2", "change-case": "4.1.2", "dist-exiftool": "^10.53.0", "fs": "^0.0.1-security", "mammoth": "^1.4.21", "node-exiftool": "^2.3.0", "node-html-parser": "^6.1.0", "office-document-properties": "^1.1.0", "pdf-parse": "^1.1.1", "sha3": "2.1.4", "stream": "^0.0.2", "uuid-base62": "^0.1.0", "winston": "^3.8.1", "xml2js": "^0.5.0", "zip": "1.2.0" },
I removed node_modules and package-lock, npm i but get the same result.
Report states:
Moderate xml2js is vulnerable to prototype pollution
Package xml2js
Patched in >=0.5.0
Dependency of office-document-properties
Path office-document-properties > xml2js
More info https://github.com/advisories/GHSA-776f-qx25-q3cc
found 1 moderate severity vulnerability in 512 scanned packages 1 vulnerability requires manual review. See the full report for details.
The report linked states that 0.5.0 is correct, so I assume there must be a bug in the reporting tool.
Would you have any idea on best approach to get around this?
Thanks
Hi, I sorted it by manually updating package-lock which was still referencing a dependency on 0.4.23 - set to 0.5.0 and now the audit is fine.
Thanks
Hi mate, I am using CapacitorJS that depends on you so thanks for your work. Im just letting you know that your dependency is listed as a high severity vulnerability even on your last version for prototype pollution.
Thanks for reading!