CVE-2021-32796 due to dependency on deprecated adal-node package which in turn uses xmldom@0.6.0
prueker opened this issue · comments
Tedious needs to upgrade to @azure/msal-node to mitigate CVE-2021-32796 which is caused by xmldom as a dependency on deprecated adal-node package as per https://github.com/AzureAD/azure-activedirectory-library-for-nodejs.
https://nvd.nist.gov/vuln/detail/CVE-2021-32796
└─┬ tedious@11.4.0
└─┬ adal-node@0.2.2
└── xmldom@0.6.0
Note, due to inability take ownership of xmldom, it is now published as @xmldom/xmldom@0.7.0 by the new maintainers (ref).
Also worth noting there's a dependency via @azure/ms-rest-nodeauth as well
└─┬ tedious@11.4.0
├─┬ @azure/ms-rest-nodeauth@3.0.10
│ └── adal-node@0.2.2 deduped
└── adal-node@0.2.2
And that's not going to be addressed according to #Azure/ms-rest-nodeauth#128
and are recommending moving to @azure/identity instead
Thank you guys for the suggestions. We are currently looking into migrating to using @azure/identity. Like I replied in issue #1238, we will give you guys an update.
adal-node@0.2.3
has been published with @xmldom/xmldom
.
if anyone else is wondering, the reply from @jasonnutter effectively says that this issue is resolved and this issue can be closed.