Dependency <xmldom> 0.6.0 has security vulnerability

papandreou / node-cldr

node.js library for extracting data from CLDR (the Unicode Common Locale Data Repository)

BSD 3-Clause "New" or "Revised" License

123 stars 18 forks source link

Dependency <xmldom> 0.6.0 has security vulnerability #153

Closed be5invis closed 3 years ago

be5invis commented 3 years ago

https://www.npmjs.com/advisories/1769

Impact

xmldom versions 0.6.0 and older do not correctly escape special characters when serializing elements removed from their ancestor. This may lead to unexpected syntactic changes during XML processing in some downstream applications.

Patches

Update to 0.7.0 (see issue #271 for the status of publishing the version to npm or join for Q&A/discussion #270 until it's resolved)

papandreou commented 3 years ago

It doesn't really matter, as xmldom is not used for serialization in this project.

Also, xmldom 0.7.0 has not been published, so it's not actionable right now.

be5invis commented 3 years ago

@xmldom/xmldom 0.7.1 has been published.

papandreou commented 3 years ago

Okay, fixed in 7.1.1.