xml2js is vulnerable to prototype pollution

Question

xml2js is vulnerable to prototype pollution

bursache opened this issue a year ago · comments

Expected Behavior

aws-sdk dependency should accept patches.

Current Behavior

aws-sdk dependency is listed with a fixed version that has a direct depedency to xml2js which is vulnerable to prototpye pollution. aws-sdk has been patched here: aws/aws-sdk-js#4389

Steps to Reproduce (for bugs)

npm install
npm audit --registry=https://registry.npmjs.org/
OR
npx better-npm-audit audit --level=high --registry=https://registry.npmjs.org/

Regev Brody · Answer 1 · Thu Apr 13 2023 01:22:53 GMT+0800 (China Standard Time)

fixed in https://github.com/PruvoNet/squiss-ts/releases/tag/v5.0.0