bubblewrap icon indicating copy to clipboard operation
bubblewrap copied to clipboard
verified publisher icon GoogleChromeLabs

Increase the version of xml-2-js in bubblewrap cli package to eliminate the vulnerability

Open ahmetcetin39 opened this issue 2 years ago • 2 comments

We are using @bubblewrap/[email protected] which brings xml2js inside and our dependabot raised the issue below.

The latest possible version that can be installed is 0.4.23 because of the following conflicting dependency: @bubblewrap/[email protected] requires xml2js@^0.4.5 via a transitive dependency on [email protected] The earliest fixed version is 0.5.0.

xml2js versions before 0.5.0 allows an external attacker to edit or add new properties to an object. This is possible because the application does not properly validate incoming JSON keys, thus allowing the proto property to be edited.

Releasing a newer version of bubblewrap/cli will help users to avoid this security concern.

ahmetcetin39 avatar Apr 11 '23 10:04 ahmetcetin39

This dependency is brought in via jimp, and the latest 0.22.7 version is not yet using [email protected]

andreban avatar Apr 17 '23 21:04 andreban

This is blocked on https://github.com/jimp-dev/jimp/issues/1223, which is blocked on https://github.com/mattdesl/parse-bmfont-xml/pull/4.

andreban avatar Apr 20 '23 07:04 andreban