Dependency <xmldom> 0.6.0 has security vulnerability

Question

Dependency <xmldom> 0.6.0 has security vulnerability

be5invis opened this issue 3 years ago · comments

https://www.npmjs.com/advisories/1769

Impact

xmldom versions 0.6.0 and older do not correctly escape special characters when serializing elements removed from their ancestor. This may lead to unexpected syntactic changes during XML processing in some downstream applications.

Patches

Update to 0.7.0
(see issue #271 for the status of publishing the version to npm or join for Q&A/discussion #270 until it's resolved)

Andreas Lind · Answer 1 · Sun Aug 15 2021 21:21:48 GMT+0800 (China Standard Time)

It doesn't really matter, as xmldom is not used for serialization in this project.

Also, xmldom 0.7.0 has not been published, so it's not actionable right now.

Belleve · Answer 2 · Fri Aug 20 2021 09:20:34 GMT+0800 (China Standard Time)

@xmldom/xmldom 0.7.1 has been published.

Andreas Lind · Answer 3 · Fri Aug 20 2021 14:33:49 GMT+0800 (China Standard Time)

Okay, fixed in 7.1.1.