Closed diego-santacruz closed 1 year ago
chai-xml currently uses xml2js ^0.4.23 but versions < 0.5 have a prototype pollution vulnerability as described in https://github.com/advisories/GHSA-776f-qx25-q3cc
From what I could see in https://github.com/Leonidas-from-XIV/node-xml2js there seems to be no breaking changes in xml2js 5.0.0, so fixing the issue should be a simple matter.
Cucumber-JS uses this library and all tests passed after I applied an override.
https://github.com/cucumber/cucumber-js/pull/2275
Thanks for reporting. It should be fixed with v0.4.1
chai-xml currently uses xml2js ^0.4.23 but versions < 0.5 have a prototype pollution vulnerability as described in https://github.com/advisories/GHSA-776f-qx25-q3cc
From what I could see in https://github.com/Leonidas-from-XIV/node-xml2js there seems to be no breaking changes in xml2js 5.0.0, so fixing the issue should be a simple matter.