Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

xml2js is vulnerable to prototype pollution #128

Closed
bursache opened this issue Apr 12, 2023 · 1 comment · Fixed by #129
Closed

xml2js is vulnerable to prototype pollution #128

bursache opened this issue Apr 12, 2023 · 1 comment · Fixed by #129
Assignees
@regevbr
Labels
bug Something isn't working

Comments

@bursache
Copy link

Expected Behavior

aws-sdk dependency should accept patches.

Current Behavior

aws-sdk dependency is listed with a fixed version that has a direct depedency to xml2js which is vulnerable to prototpye pollution. aws-sdk has been patched here: aws/aws-sdk-js#4389

Steps to Reproduce (for bugs)

npm install
npm audit --registry=https://registry.npmjs.org/
OR
npx better-npm-audit audit --level=high --registry=https://registry.npmjs.org/
@bursache bursache added the bug Something isn't working label Apr 12, 2023
@regevbr regevbr mentioned this issue Apr 12, 2023
Merged
@regevbr
Copy link
Contributor

regevbr commented Apr 12, 2023

fixed in https://github.com/PruvoNet/squiss-ts/releases/tag/v5.0.0

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@regevbr regevbr

Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

V5 - drop old node versions and move to new AWS sdk PruvoNet/squiss-ts
2 participants
@regevbr @bursache