vscode-php-debug icon indicating copy to clipboard operation
vscode-php-debug copied to clipboard

Published 20 hours ago verified publisher icon xdebug

chore(deps): update dependency xmldom to 0.7.0 [security]

Open renovate[bot] opened this issue 3 years ago • 1 comments

Mend Renovate

This PR contains the following updates:

Package Change
xmldom 0.6.0 -> 0.7.0

GitHub Vulnerability Alerts

CVE-2021-32796

Impact

xmldom versions 0.6.0 and older do not correctly escape special characters when serializing elements removed from their ancestor. This may lead to unexpected syntactic changes during XML processing in some downstream applications.

Patches

Update to one of the fixed versions of @xmldom/xmldom (>=0.7.0)

See issue #​271 for the status of publishing xmldom to npm or join #​270 for Q&A/discussion until it's resolved.

Workarounds

Downstream applications can validate the input and reject the maliciously crafted documents.

References

Similar to this one reported on the Go standard library:

  • https://mattermost.com/blog/coordinated-disclosure-go-xml-vulnerabilities/
  • https://mattermost.com/blog/securing-xml-implementations-across-the-web/

For more information

If you have any questions or comments about this advisory:

  • Open an issue in xmldom/xmldom
  • Email us: send an email to all addresses that are shown by npm owner ls @​xmldom/xmldom

Configuration

📅 Schedule: Branch creation - "" in timezone Europe/Berlin, Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • [ ] If you want to rebase/retry this PR, click this checkbox.

This PR has been generated by Mend Renovate. View repository job log here.

renovate[bot] avatar Feb 06 '22 16:02 renovate[bot]

⚠ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

  • any of the package files in this branch needs updating, or
  • the branch becomes conflicted, or
  • you click the rebase/retry checkbox if found above, or
  • you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: package-lock.json

renovate[bot] avatar Feb 06 '22 16:02 renovate[bot]