Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Can XMLDOM be bumped to version 0.7.0? #1288

Closed
ryan-WORK opened this issue Aug 3, 2021 · 4 comments
Closed

Can XMLDOM be bumped to version 0.7.0? #1288

ryan-WORK opened this issue Aug 3, 2021 · 4 comments

Comments

@ryan-WORK
Copy link

Expected behaviour:

Expected behavior is that there are no vulnerabilities after installing mssql.

Actual behaviour:

  Moderate        Misinterpretation of malicious XML input                      

  Package         xmldom                                                        

  Patched in      >=0.7.0                                                       

  Dependency of   mssql                                                         

  Path            mssql > tedious > @azure/ms-rest-nodeauth > adal-node >       
                  xmldom                                                        

  More info       https://npmjs.com/advisories/1769                             


  Moderate        Misinterpretation of malicious XML input                      

  Package         xmldom                                                        

  Patched in      >=0.7.0                                                       

  Dependency of   mssql                                                         

  Path            mssql > tedious > adal-node > xmldom                          

  More info       https://npmjs.com/advisories/1769                             

found 2 moderate severity vulnerabilities in 1074 scanned packages
  2 vulnerabilities require manual review. See the full report for details.

Configuration:

npm i mssql

Software versions

  • NodeJS: v14.17.3
  • node-mssql: 7.2.0
  • SQL Server:
@psoleckimoj
Copy link

Seconded, all our security workflows in CircleCI have just thrown this up.

@dhensby
Copy link
Collaborator

dhensby commented Aug 4, 2021

  1. This is the wrong repo to bring this up in, it is not a dependency of this library
  2. Have you reviewed the vulnerability to see if it actually applies / is used in a way that the vulnerability can be exploited when used in conjunction with this library
  3. "Expected behavior is that there are no vulnerabilities after installing mssql." - I disagree with this expected behaviour, there is no such expectation within this library.

Additional reading for those that are interested - https://overreacted.io/npm-audit-broken-by-design/

@dhensby dhensby closed this as completed Aug 4, 2021
@dhensby
Copy link
Collaborator

dhensby commented Aug 4, 2021

Just to add, given this is a dependency of @azure/ms-rest-nodeauth I expect this is only even potentially an issue if you're using some azure based authentication and not standard MSSQL auth. And even then whatever the vulnerability is, you'd have to be exposed to it

@dhensby dhensby mentioned this issue Aug 19, 2021
Closed
@dhensby dhensby mentioned this issue Sep 1, 2021
Closed
@ceisele-r ceisele-r mentioned this issue Sep 7, 2021
Closed
@dhensby
Copy link
Collaborator

dhensby commented Sep 7, 2021

note we will need to wait for tediousjs/tedious#1328 to be merged in tedious before the vulnerability warning is going to be resolved

@dhensby dhensby mentioned this issue Sep 10, 2021
Closed
@dhensby dhensby mentioned this issue Jan 18, 2022
Closed
@dhensby dhensby mentioned this issue Jan 3, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@dhensby @ryan-WORK @psoleckimoj