I got dependabot alert in my project referencing webpack-pwa-manifest v4.3.0:
xml2js versions before 0.5.0 allows an external attacker to edit or add new properties to an object. This is possible because the application does not properly validate incoming JSON keys, thus allowing the __proto__ property to be edited.
webpack-pwa-manifest@4.3.0 requires xml2js@^0.4.5 via a transitive dependency on parse-bmfont-xml@1.1.4
No patched version available for xml2js
The earliest fixed version is 0.5.0.
parse-bmfont-xml project seems to be unsupported. Could a reference to it be replaced by something else?
Hi!
I got dependabot alert in my project referencing webpack-pwa-manifest v4.3.0:
parse-bmfont-xml project seems to be unsupported. Could a reference to it be replaced by something else?