We are using @bubblewrap/cli@1.19.1 which brings xml2js inside and our dependabot raised the issue below.

The latest possible version that can be installed is 0.4.23 because of the following conflicting dependency:
@bubblewrap/cli@1.19.1 requires xml2js@^0.4.5 via a transitive dependency on parse-bmfont-xml@1.1.4
The earliest fixed version is 0.5.0.

xml2js versions before 0.5.0 allows an external attacker to edit or add new properties to an object. This is possible because the application does not properly validate incoming JSON keys, thus allowing the proto property to be edited.

Releasing a newer version of bubblewrap/cli will help users to avoid this security concern.

This dependency is brought in via jimp, and the latest 0.22.7 version is not yet using xml2js@0.5.x

This is blocked on jimp-dev/jimp#1223, which is blocked on mattdesl/parse-bmfont-xml#4.