search

Speech-Rule-Engine / speech-rule-engine

Generating speech descriptions for XML structures
https://zorkow.github.io/speech-rule-engine/
Apache License 2.0
75 stars 39 forks source link

xmldom-sre vulnerability #702

Open Ancient-Dragon opened 1 year ago

Ancient-Dragon commented 1 year ago

Hi there,

We're trying to bring in this package but because of a vulnerability in xmldom-sre we are unable to. It also looks like this package isn't maintained would it be possible to switch it out?

Thanks!

zorkow commented 1 year ago

xmldom-sre is speech rule engine's own fork of xmldom, which is no longer maintained. The main difference is that it fixes a couple of bugs and adds a full list of HTML entities.

What exactly is the vulnerability that you have found? Maybe we can fix it. When I install it with npm I get found 0 vulnerabilities.

Ancient-Dragon commented 1 year ago

It was picked up by sonar for us, the vulnerability is: CVE-2022-37616

zorkow commented 1 year ago

I've just made a new beta release and push speech-rule-engine@4.1.0-beta.3 to npm. It's version of xmldom-sre is now based on the new fork from @xmldom/xmldom, which should take care of the security vulnerability. Have a look whether this works for you.

Ancient-Dragon commented 1 year ago

Thank you so much I'll try pull it in after the easter weekend!