search

TooTallNate / plist.js

Mac OS X Plist parser/builder for Node.js and browsers
MIT License
571 stars 123 forks source link

Upgrade xlmdom dependency to fix security advisory #110

Closed sofiyaca closed 3 years ago

sofiyaca commented 3 years ago

The dependency on xlmdom listed in package.json has a vulnerability. Can the version restriction be upgraded to allow the fixed version 0.7.0?

mreinstein commented 3 years ago

Can the version restriction be upgraded to allow the fixed version 0.7.0?

I think maybe there is some confusion. xmldom hasn't published a 0.7.0 version yet. Are you referring to something else?

vladimiry commented 3 years ago

xmldom hasn't published a 0.7.0 version yet

They did but only as github release (repo update), not published on npm yet.

@sofiyaca, the xmldom": "^0.6.0 version restriction looks fine as it will allow to pick up the 0.7.0 update when the time/npm-release comes.

mreinstein commented 3 years ago

ahhhh, it appears a I updated the xmldom dep a few weeks ago, but never published it to npm. Will do that now.

mreinstein commented 3 years ago

It's live as 3.0.3.

daveallie commented 3 years ago

This should be reopened. plist 3.0.3 bumped xmldom to ^0.6.0 which is >= 0.6.0, < 0.7.0. The vulnerability was patched in version 0.7.0 of xmldom. Would you mind bumping the xmldom dependency to allow for 0.7.0 and releasing another patch of plist?

mreinstein commented 3 years ago

As of right now, there is no such thing as xmldom@0.7.0. See here: https://www.npmjs.com/package/xmldom

The latest module published is 0.6.0.

When xmldom publishes this, we'll update.

vladimiry commented 3 years ago

plist 3.0.3 bumped xmldom to ^0.6.0 which is >= 0.6.0, < 0.7.0

Right, I missed leading zero.

When xmldom publishes this, we'll update.

There is going to be xmldom 0.6.1 release https://github.com/xmldom/xmldom/discussions/270#discussioncomment-1140374 so new plist release won't be required.

mreinstein commented 3 years ago

Just out of curiosity, does anyone know why the xmldom people are not able to publish 0.7.0 to npm?

They mention they're having trouble in the issue but not where this trouble is coming from.

Seems very...odd...

vladimiry commented 3 years ago

Some info recently posted here https://github.com/xmldom/xmldom/issues/271#issuecomment-894383897

ryankashi commented 3 years ago

Looks like they will be publishing a new version of xmldom called @xmldom. I believe it should be published later today with the fix

https://github.com/xmldom/xmldom/discussions/270

https://github.com/xmldom/xmldom/pull/278

harmonjt commented 3 years ago

https://www.npmjs.com/package/@xmldom/xmldom

It is published.

mreinstein commented 3 years ago

fixed via https://github.com/TooTallNate/plist.js/commit/fa8e184631d3b809da1a9e3cfcf6407919871d1b