[Snyk] Security upgrade @xmldom/xmldom from 0.8.3 to 0.8.4 #138
Conversation
The following vulnerabilities are fixed with an upgrade: - https://snyk.io/vuln/SNYK-JS-XMLDOMXMLDOM-3092934
| @@ -28,7 +28,7 @@ | |||
| }, | |||
| "dependencies": { | |||
| "@mapbox/geojson-rewind": "0.5.2", | |||
| "@xmldom/xmldom": "0.8.3", | |||
| "@xmldom/xmldom": "0.8.4", | |||
There was a problem hiding this comment.
The latest version is 0.8.6 at the time of writing: https://www.npmjs.com/package/@xmldom/xmldom?activeTab=versions
There was a problem hiding this comment.
Is the exact version of @xmldom/xmldom important? Why not ^0.8.4, which would have allowed projects that depend on osmtogeojson to upgrade the version to a non-vulnerable one without changing this repo?
There was a problem hiding this comment.
Good point. There aren’t any reported vulnerabilities in 0.8.4 and 0.8.5 (at least now): https://security.snyk.io/package/npm/@xmldom%2Fxmldom
Using ^0.8.4 would do!
There was a problem hiding this comment.
@kachkaev Please note that I'm not a maintainer of this package. I'm just wondering, as I'm here for the same reason as you (critical vulnerability in our project), but no other dependency is noted with ^ in this package. They all use exact versions.
There was a problem hiding this comment.
Yep. That's a reason why I’ve flagged the existence of 0.8.6. If the versions have to be fixed, it’s best to use the latest available just in case.
|
Is there any chance this PR gets merged soon? 🙏 |
|
@tyrasd Any chance this could be merged and deployed to NPM anytime soon? It would be great to resolve this vulnerability |
|
I opened a new more recent PR to fix this issue (#146). We are trying to get rid of the critical security issues in our project and that would be really helpful |
xmldom is a dependency of osmtogeojson that hasn't been updated yet, the xmldom version had to be updated in the package-lock to get around this, but there are unmerged PRs that should fix this eventually: tyrasd/osmtogeojson#138
* Removed unused files and code * Remove unused dependencies Removed unused dependencies, everything still works so far. * Ran npm audit fix (non-breaking changes only) * Axios update * Migrate from vue-cli to vite * Migrate to Vue3 - works but styling broken * Navbar styling fixed and S3 test build added * sideView styling fixed * Popup styling fixed * Map reset button fixed * Map styling fixed * Vite and autoprefixer dependencies update Everything still works * osmtogejson and xml version upgrade, plus popup warning fix xmldom is a dependency of osmtogeojson that hasn't been updated yet, the xmldom version had to be updated in the package-lock to get around this, but there are unmerged PRs that should fix this eventually: tyrasd/osmtogeojson#138 * Clean cache in test workflow * Fix CJS deprecation warning, fix minor popup styling It's no longer recommended to use require: https://vite.dev/guide/troubleshooting.html#vite-cjs-node-api-deprecated * update SCSS variables * Format and remove unused function * Update README * Several minor fixes - Override xmldom to fix vulnerability - Update README - Minor formatting - fix SVG warning in Chrome browser * Remove vue-cli references
* Removed unused files and code * Remove unused dependencies Removed unused dependencies, everything still works so far. * Ran npm audit fix (non-breaking changes only) * Axios update * Migrate from vue-cli to vite * Migrate to Vue3 - works but styling broken * Navbar styling fixed and S3 test build added * sideView styling fixed * Popup styling fixed * Map reset button fixed * Map styling fixed * Vite and autoprefixer dependencies update Everything still works * osmtogejson and xml version upgrade, plus popup warning fix xmldom is a dependency of osmtogeojson that hasn't been updated yet, the xmldom version had to be updated in the package-lock to get around this, but there are unmerged PRs that should fix this eventually: tyrasd/osmtogeojson#138 * Clean cache in test workflow * Fix CJS deprecation warning, fix minor popup styling It's no longer recommended to use require: https://vite.dev/guide/troubleshooting.html#vite-cjs-node-api-deprecated * update SCSS variables * Format and remove unused function * Update README * Converted building.geometry from CommonJS to ESM. * Added base url. * Test on PR (revert when done). * Revert changes to gh-deploy.yml. * gh-pages test * gh-pages test (fixed) * Add base URL to env * reroute to main on 404 * change base in vite.config * Pathing fix * dev mode icon path fix * Revert gh-pages workflow --------- Co-authored-by: s-egge <[email protected]> Co-authored-by: Brandon Lee <[email protected]>
This PR was automatically created by Snyk using the credentials of a real user.
Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.
Changes included in this PR
Vulnerabilities that will be fixed
With an upgrade:
Why? Proof of Concept exploit, Recently disclosed, Has a fix available, CVSS 8.6
SNYK-JS-XMLDOMXMLDOM-3092934
(*) Note that the real score may have changed since the PR was raised.
Commit messages
Package name: @xmldom/xmldom
The new version differs by 3 commits.See the full diff
Check the changes in this PR to ensure they won't cause issues with your project.
Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.
For more information:
🧐 View latest project report
🛠 Adjust project settings
📚 Read more about Snyk's upgrade and patch logic
Learn how to fix vulnerabilities with free interactive lessons:
🦉 Learn about vulnerability in an interactive lesson of Snyk Learn.