search

linkeddata / rdflib.js

Linked Data API for JavaScript
http://linkeddata.github.io/rdflib.js/doc/
Other
566 stars 146 forks source link

vulnerability in jsonld #488

Closed scenaristeur closed 2 years ago

scenaristeur commented 3 years ago

hi, my last npm update show me a dependency vulnerability on jsonld

"@ldflex/rdflib": "^1.0.0", "@solid/query-ldflex": "^2.11.3",

(last version of "jsonld" is "version": "5.2.1-0")


xmldom  <0.5.0
Misinterpretation of malicious XML input - https://npmjs.com/advisories/1650
No fix available
node_modules/jsonld/node_modules/xmldom
node_modules/rdflib/node_modules/xmldom
  jsonld  0.0.59 - 3.3.2
  Depends on vulnerable versions of xmldom
  node_modules/jsonld
    rdflib  >=0.2.1
    Depends on vulnerable versions of jsonld
    Depends on vulnerable versions of xmldom
    node_modules/rdflib
      @ldflex/rdflib  *
      Depends on vulnerable versions of rdflib
      node_modules/@ldflex/rdflib
karfau commented 2 years ago

I'm not sure if I'm reading this "stacktrace" properly, but at least some part of it is beause of the xmldom dependency of this project.

And there is actually a fix avaliable: switching to the new scoped package name @xmldom/xmldom which the maintainers were forced to use since 0.7.0 (which fixes the mentioned vulnerability.

I'm one of the maintainers and I'm going to provide a PR for that upgrade.