Vulnerability open for a few days: GHSA-gpv5-7x3g-ghjv

[alfaproject]

All the details here: https://github.com/advisories/GHSA-gpv5-7x3g-ghjv

This was opened a few days ago, but it looks like it was already patched? Or is it a false positive?

Either way, a release can be done or the vulnerability discarded, but as it stands our pipelines are stopped right now unless we ignore this but I'd prefer not to ignore without getting feedback here.

[github-actions[bot]]

We're glad you find this project helpful. We'll try to address this issue ASAP. You can vist https://solothought.com to know recent features. Don't forget to star this repo.

[jozefsukovsky]

I would like to add, that this report breaks auditing tools, e.g. pnpm audit (which can not omit/skip GHSA reports). And the report itself is a bit confusing, as it is not clear if it really is a security issue or just a suggestion. Hence, the consequences of this GHSA are quite unbalanced.

[WikiRik]

This seems to have been fixed in https://github.com/NaturalIntelligence/fast-xml-parser/commit/9a880b887916855c3a510869fd1ee268d7fe58b1 but a new release has not been published for this yet

[Afellman]

Any update on this?

[felixsonyusuftosin]

Will this be updated anytime soon?

[martin-walsh]

@amitguptagwl your published advisory on your most recent security fix means fix is hard to adopt https://github.com/advisories/GHSA-gpv5-7x3g-ghjv

[gijspon]

Need an update for this!

[aaleksandrov]

Would be awesome to release this - aws-sdk-v3 depends on this library and brings this vulnerability

[eclousersans]

This seems to have been fixed in 9a880b8 but a new release has not been published for this yet

Would like to see a quick release for this, as the issue is currently blocking many of our CI pipelines.

[Zajozor]

If you want to "hotfix"/"force" your yarn audit's to pass in the meantime, here's a tip:

• since it is fixed in the main branch, create your own fork, and tag it with 4.2.5
• overwrite your lockfile to point to this fork

Lockfile part of the library that depends on fast-xml-parser

---    fast-xml-parser "4.2.4"
+++    fast-xml-parser "https://github.com/YourGreatFork/fast-xml-parser#v4.2.5"

Lockfile part where fast-xml-parser is declared:

--- fast-xml-parser@4.2.4:
---  version "4.2.4"
+++ fast-xml-parser "https://github.com/YourGreatFork/fast-xml-parser#v4.2.5":
+++   version "4.2.5"
+++   resolved "https://github.com/YourGreatFork/fast-xml-parser#cc73065e1469147a0104dc122b0cdf6724354446"

(note that the commitID is the latest commit ID in the main branch of this repo - check it yourself to be sure!)

It's obviously not pretty, and manual lockfile edits are not a good idea in general, but it may be an acceptable temporary hotfix for your case. It should survive subsequent npm/yarn install's.

Looking forward to an actual release including the fix on the upstream package :) !

[fernandopioli]

Hi @amitguptagwl. Could you please help us on that? thanks

[amitguptagwl]

I'm little confused here. Someone has raised a PR to update GitHub Advisory Database which is not in my control. But there is no open security issue that I know. What should I do to solve the issue? So you guys should not see any error in your build pipeline

[amitguptagwl]

Now I've updated all the advisories with fixed version. Please check if this solve your issue.

[aaleksandrov]

@amitguptagwl , as @WikiRik pointed here a fix was already merged so it's a matter of releasing a new version as far as I understand

[amitguptagwl]

@aaleksandrov I have that too few mins ago. So I hope everything is shorted now.

[aaleksandrov]

Thanks, now aws-sdk-v3 needs to release an update because they have the fast-xml-parser version pinned as 4.2.4

[7085]

This should not have been a security advisory in the first place but a regular issue, because the actual vulnerability was already fixed in 4.2.4. Now there are two, you should revoke those. Only publish an advisory when there is an actual vulnerability, people misuse the button "Report a vulnerability" often unfortunately.

[eclousersans]

Our issue is now resolved. Thanks!

[amitguptagwl]

I'm closing this issue. But if anything left then please reopen or comment.