Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Upgrade xlmdom dependency to fix security advisory #110

Closed
sofiyaca opened this issue Aug 4, 2021 · 12 comments
Closed

Upgrade xlmdom dependency to fix security advisory #110

sofiyaca opened this issue Aug 4, 2021 · 12 comments

Comments

@sofiyaca
Copy link

sofiyaca commented Aug 4, 2021

The dependency on xlmdom listed in package.json has a vulnerability. Can the version restriction be upgraded to allow the fixed version 0.7.0?
@mreinstein
Copy link
Collaborator

Can the version restriction be upgraded to allow the fixed version 0.7.0?

I think maybe there is some confusion. xmldom hasn't published a 0.7.0 version yet. Are you referring to something else?

@vladimiry
Copy link

vladimiry commented Aug 4, 2021
edited
Loading

xmldom hasn't published a 0.7.0 version yet

They did but only as github release (repo update), not published on npm yet.

@sofiyaca, the xmldom": "^0.6.0 version restriction looks fine as it will allow to pick up the 0.7.0 update when the time/npm-release comes.

@mreinstein
Copy link
Collaborator

ahhhh, it appears a I updated the xmldom dep a few weeks ago, but never published it to npm. Will do that now.

@mreinstein
Copy link
Collaborator

It's live as 3.0.3.

@daveallie
Copy link

This should be reopened. plist 3.0.3 bumped xmldom to ^0.6.0 which is >= 0.6.0, < 0.7.0. The vulnerability was patched in version 0.7.0 of xmldom. Would you mind bumping the xmldom dependency to allow for 0.7.0 and releasing another patch of plist?

@mreinstein
Copy link
Collaborator

As of right now, there is no such thing as xmldom@0.7.0. See here: https://www.npmjs.com/package/xmldom

The latest module published is 0.6.0.

When xmldom publishes this, we'll update.

@vladimiry
Copy link

plist 3.0.3 bumped xmldom to ^0.6.0 which is >= 0.6.0, < 0.7.0

Right, I missed leading zero.

When xmldom publishes this, we'll update.

There is going to be xmldom 0.6.1 release xmldom/xmldom#270 (reply in thread) so new plist release won't be required.

@mreinstein
Copy link
Collaborator

Just out of curiosity, does anyone know why the xmldom people are not able to publish 0.7.0 to npm?

They mention they're having trouble in the issue but not where this trouble is coming from.

Seems very...odd...

@vladimiry
Copy link

Some info recently posted here xmldom/xmldom#271 (comment)

@ryankashi
Copy link

Looks like they will be publishing a new version of xmldom called @xmldom. I believe it should be published later today with the fix

xmldom/xmldom#270

xmldom/xmldom#278

@harmonjt
Copy link

https://www.npmjs.com/package/@xmldom/xmldom

It is published.

@dylmye dylmye mentioned this issue Aug 23, 2021
Closed
mreinstein added a commit that referenced this issue Aug 27, 2021
@mreinstein
inline xmldom@0.6.0 to avoid false positive security message. Fixes #110
fa8e184 
, #111
@mreinstein
Copy link
Collaborator

fixed via fa8e184

@wollardj wollardj mentioned this issue Oct 24, 2021
Closed
jiansheng-gt pushed a commit to jiansheng-gt/plist.js that referenced this issue Nov 11, 2021
Revert "inline xmldom@0.6.0 to avoid false positive security message. F…
75d7d02 
…ixes TooTallNate#110, TooTallNate#111"

This reverts commit fa8e184.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Update xmldom to 0.7.x
6 participants
@mreinstein @daveallie @vladimiry @ryankashi @harmonjt @sofiyaca