mailauth depends on a vulnerable library

postalsys / mailauth

Command line utility and a Node.js library for email authentication

Other

127 stars 10 forks source link

mailauth depends on a vulnerable library #40

Closed augjoh closed 1 year ago

augjoh commented 1 year ago

Latest mailauth depends on a vulnerable library, please provide an update.

# npm audit report
fast-xml-parser  <4.2.4
Severity: high
fast-xml-parser vulnerable to Regex Injection via Doctype Entities - https://github.com/advisories/GHSA-6w63-h3fj-q4vw
fix available via `npm audit fix --force`
Will install mailauth@3.0.1, which is a breaking change
node_modules/fast-xml-parser
  mailauth  >=3.0.2
  Depends on vulnerable versions of fast-xml-parser
  node_modules/mailauth

andris9 commented 1 year ago

Thank you for notifying. The xml parser is not used for any core features, so I’ll update the dependency whenever there will be a new release for mailauth. No ETA for now.

andris9 commented 1 year ago

Updated in v4.4.0