search

xmppo / node-expat

libexpat XML SAX parser binding for node.js
https://github.com/xmppo/node-expat
MIT License
384 stars 97 forks source link

[CVE-2022-23852] of underlying libexpat #215

Open Ilmarinen100 opened 2 years ago

Ilmarinen100 commented 2 years ago

The underlying version of libexpat packaged in node-expat is most likely vulnerable to the vulnerability documented for libexpat < 2.4.4

astro commented 2 years ago

Using an OS with package management, I've always wondered why we vendored libexpat.

Ilmarinen100 commented 2 years ago

Using an OS with package management, I've always wondered why we vendored libexpat.

If only all OSes brought libs like that ... but wait - we might even get fewer security fixes for older devices where nobody updates the OS :D

hartwork commented 2 years ago

Please note that Expat 2.4.5 with more security fixes has been released by now.

AudunWA commented 9 months ago

Are there any plans to upgrade the bundled libexpat version to latest?