webpack-pwa-manifest icon indicating copy to clipboard operation
webpack-pwa-manifest copied to clipboard

Published 20 hours ago verified publisher icon arthurbergmz

v4.3.0: xml2js is vulnerable to prototype pollution

Open VladimirKhil opened this issue 1 year ago • 0 comments

Hi!

I got dependabot alert in my project referencing webpack-pwa-manifest v4.3.0:

xml2js versions before 0.5.0 allows an external attacker to edit or add new properties to an object. This is possible because the application does not properly validate incoming JSON keys, thus allowing the __proto__ property to be edited.

[email protected] requires xml2js@^0.4.5 via a transitive dependency on [email protected]
No patched version available for xml2js

The earliest fixed version is 0.5.0.

parse-bmfont-xml project seems to be unsupported. Could a reference to it be replaced by something else?

VladimirKhil avatar May 23 '23 12:05 VladimirKhil