Depends on a vulnerable version of `xmldom`

x2js / x2js

Apache License 2.0

97 stars 53 forks source link

Depends on a vulnerable version of `xmldom` #104

Closed s100 closed 3 years ago

s100 commented 3 years ago

x2js depends on xmldom@^0.1.19. xmldom versions 0.4.0 or older have this vulnerability. This can be remediated by updating to xmldom@0.5.0 or later.

xmldom has gone through some breaking changes since v0.1.19... hard to say from my perspective how taxing this upgrade would be.

jessehouwing commented 3 years ago

It looks like the dependabot PR passes tests, that's good.

https://github.com/x2js/x2js/pull/103

Maxouhell commented 3 years ago

Ook sorry, I don't know why but notifications were disabled... I will update that asap and make a new version (before the end of the week, I promise :) )

Maxouhell commented 3 years ago

Done ! V3.4.1 Let me know if there is any issue !

s100 commented 3 years ago

Perfect. Thank you very much for the speedy turnaround here!