search

krampstudio / chai-xml

Xml assertions for Chai
MIT License
6 stars 6 forks source link

Update xml2js to 0.5 to solve CVE-2023-0842 #18

Closed diego-santacruz closed 1 year ago

diego-santacruz commented 1 year ago

chai-xml currently uses xml2js ^0.4.23 but versions < 0.5 have a prototype pollution vulnerability as described in https://github.com/advisories/GHSA-776f-qx25-q3cc

From what I could see in https://github.com/Leonidas-from-XIV/node-xml2js there seems to be no breaking changes in xml2js 5.0.0, so fixing the issue should be a simple matter.

michael-lloyd-morris commented 1 year ago

Cucumber-JS uses this library and all tests passed after I applied an override.

https://github.com/cucumber/cucumber-js/pull/2275

krampstudio commented 1 year ago

Thanks for reporting. It should be fixed with v0.4.1