[Snyk] Security upgrade @xmldom/xmldom from 0.8.3 to 0.8.4 #138
Conversation
The following vulnerabilities are fixed with an upgrade: - https://snyk.io/vuln/SNYK-JS-XMLDOMXMLDOM-3092934
| @@ -28,7 +28,7 @@ | |||
| }, | |||
| "dependencies": { | |||
| "@mapbox/geojson-rewind": "0.5.2", | |||
| "@xmldom/xmldom": "0.8.3", | |||
| "@xmldom/xmldom": "0.8.4", | |||
There was a problem hiding this comment.
The latest version is 0.8.6 at the time of writing: https://www.npmjs.com/package/@xmldom/xmldom?activeTab=versions
There was a problem hiding this comment.
Is the exact version of @xmldom/xmldom important? Why not ^0.8.4, which would have allowed projects that depend on osmtogeojson to upgrade the version to a non-vulnerable one without changing this repo?
There was a problem hiding this comment.
Good point. There aren’t any reported vulnerabilities in 0.8.4 and 0.8.5 (at least now): https://security.snyk.io/package/npm/@xmldom%2Fxmldom
Using ^0.8.4 would do!
There was a problem hiding this comment.
@kachkaev Please note that I'm not a maintainer of this package. I'm just wondering, as I'm here for the same reason as you (critical vulnerability in our project), but no other dependency is noted with ^ in this package. They all use exact versions.
There was a problem hiding this comment.
Yep. That's a reason why I’ve flagged the existence of 0.8.6. If the versions have to be fixed, it’s best to use the latest available just in case.
|
Is there any chance this PR gets merged soon? 🙏 |
|
@tyrasd Any chance this could be merged and deployed to NPM anytime soon? It would be great to resolve this vulnerability |
|
I opened a new more recent PR to fix this issue (#146). We are trying to get rid of the critical security issues in our project and that would be really helpful |
This PR was automatically created by Snyk using the credentials of a real user.
Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.
Changes included in this PR
Vulnerabilities that will be fixed
With an upgrade:
Why? Proof of Concept exploit, Recently disclosed, Has a fix available, CVSS 8.6
SNYK-JS-XMLDOMXMLDOM-3092934
(*) Note that the real score may have changed since the PR was raised.
Commit messages
Package name: @xmldom/xmldom
The new version differs by 3 commits.See the full diff
Check the changes in this PR to ensure they won't cause issues with your project.
Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.
For more information:
🧐 View latest project report
🛠 Adjust project settings
📚 Read more about Snyk's upgrade and patch logic
Learn how to fix vulnerabilities with free interactive lessons:
🦉 Learn about vulnerability in an interactive lesson of Snyk Learn.