Upgrade xml2js package for fixing CVE-2023-0842

grafana / grafana-image-renderer

A Grafana backend plugin that handles rendering of panels & dashboards to PNGs using headless browser (Chromium/Chrome)

Apache License 2.0

374 stars 151 forks source link

Upgrade xml2js package for fixing CVE-2023-0842 #428

Closed beltran-rubo closed 1 year ago

beltran-rubo commented 1 year ago

The xml2js included is 0.4.23 in the latest version availble (v3.7.1.). This includes the CVE-2023-0842. Do you plan to update this component to xml2js version 0.5.0 that includes the fix?

Clarity-89 commented 1 year ago

xml2js is not used directly by the renderer. It is a nested dependency of one of the jimp plugins, which we have no control over.