xmldom-sre vulnerability
Ancient-Dragon opened this issue · 4 comments
Hi there,
We're trying to bring in this package but because of a vulnerability in xmldom-sre we are unable to. It also looks like this package isn't maintained would it be possible to switch it out?
Thanks!
xmldom-sre
is speech rule engine's own fork of xmldom, which is no longer maintained. The main difference is that it fixes a couple of bugs and adds a full list of HTML entities.
What exactly is the vulnerability that you have found? Maybe we can fix it.
When I install it with npm I get found 0 vulnerabilities
.
It was picked up by sonar for us, the vulnerability is: CVE-2022-37616
I've just made a new beta release and push speech-rule-engine@4.1.0-beta.3 to npm.
It's version of xmldom-sre is now based on the new fork from @xmldom/xmldom, which should take care of the security vulnerability. Have a look whether this works for you.
Thank you so much I'll try pull it in after the easter weekend!