Closed sofiyaca closed 3 years ago
Can the version restriction be upgraded to allow the fixed version 0.7.0?
I think maybe there is some confusion. xmldom hasn't published a 0.7.0 version yet. Are you referring to something else?
xmldom hasn't published a 0.7.0 version yet
They did but only as github release (repo update), not published on npm yet.
@sofiyaca, the xmldom": "^0.6.0
version restriction looks fine as it will allow to pick up the 0.7.0 update when the time/npm-release comes.
ahhhh, it appears a I updated the xmldom dep a few weeks ago, but never published it to npm. Will do that now.
It's live as 3.0.3.
This should be reopened. plist 3.0.3 bumped xmldom to ^0.6.0
which is >= 0.6.0, < 0.7.0
. The vulnerability was patched in version 0.7.0 of xmldom. Would you mind bumping the xmldom dependency to allow for 0.7.0 and releasing another patch of plist?
As of right now, there is no such thing as xmldom@0.7.0. See here: https://www.npmjs.com/package/xmldom
The latest module published is 0.6.0.
When xmldom publishes this, we'll update.
plist 3.0.3 bumped xmldom to ^0.6.0 which is >= 0.6.0, < 0.7.0
Right, I missed leading zero.
When xmldom publishes this, we'll update.
There is going to be xmldom 0.6.1 release https://github.com/xmldom/xmldom/discussions/270#discussioncomment-1140374 so new plist release won't be required.
Just out of curiosity, does anyone know why the xmldom people are not able to publish 0.7.0 to npm?
They mention they're having trouble in the issue but not where this trouble is coming from.
Seems very...odd...
Some info recently posted here https://github.com/xmldom/xmldom/issues/271#issuecomment-894383897
Looks like they will be publishing a new version of xmldom called @xmldom. I believe it should be published later today with the fix
https://www.npmjs.com/package/@xmldom/xmldom
It is published.
The dependency on xlmdom listed in package.json has a vulnerability. Can the version restriction be upgraded to allow the fixed version 0.7.0?