fonteditor-core
fonteditor-core copied to clipboard
kekee000
update xmldom dep
Dear @kekee000,
thank you very much for conceiving and maintaining this excellent package.
We have a small issue to report about: Downstream repositories like, in our case, [1] and [2], just started showing a Dependabot alert about the misinterpretation of malicious XML input issue [3,4], which affects all versions of xmldom < 0.7.0.
So, may we humbly ask if you can integrate this patch by @smhg and release a new version of fonteditor-core?
Thanks already and with kind regards, Andreas.
P.S.: While this patch upgrades to @xmldom/xmldom^0.7.5, version 0.8.0 was published three weeks ago, see [5]. More details about the renaming from xmldom to @xmldom/xmldom can be found at [6].
[1] https://github.com/astefanutti/decktape [2] https://github.com/posterkit/posterkit-sandbox [3] https://github.com/advisories/GHSA-5fg8-2547-mr8q [4] https://nvd.nist.gov/vuln/detail/CVE-2021-32796 [5] https://www.npmjs.com/package/@xmldom/xmldom [6] https://github.com/xmldom/xmldom/issues/271
People looking into how to resolve this in the interim might be interested in https://github.com/posterkit/posterkit-sandbox/commit/e5a0e7e14, where we added a corresponding Yarn resolution setting to the packages.json file.
"resolutions": {
"xmldom": "https://github.com/xmldom/xmldom/archive/refs/tags/v0.7.0.tar.gz"
}
Starting with npm 8.3, people might be able to use a corresponding npm overrides setting. (untested!)
"overrides": {
"xmldom": "https://github.com/xmldom/xmldom/archive/refs/tags/v0.7.0.tar.gz",
}
@kekee000 When you get a chance, can you please merge and release this security fix?
