[rush] Dependent package xml2js has a vulnerability

microsoft / rushstack

Monorepo for tools developed by the Rush Stack community

https://rushstack.io/

Other

5.82k stars 592 forks source link

Open Marija-Pet opened 1 year ago

Marija-Pet commented 1 year ago

Dependent package xml2js has a vulnerability

Vulnerability found in xml2js package affecting versions >=0.4.23 <0.5.0 https://security.snyk.io/vuln/SNYK-JS-XML2JS-5414874

How to fix? Upgrade xml2js to version 0.5.0 or higher.

randyram-at-ms commented 1 year ago

We're seeing this flagged by component governance as well.