xmldom-sre vulnerability

Question

xmldom-sre vulnerability

Ancient-Dragon opened this issue 2 years ago · 4 comments

Hi there,

We're trying to bring in this package but because of a vulnerability in xmldom-sre we are unable to. It also looks like this package isn't maintained would it be possible to switch it out?

Thanks!

Answer 1 · 2023-03-15T23:46:43.000Z

xmldom-sre is speech rule engine's own fork of xmldom, which is no longer maintained. The main difference is that it fixes a couple of bugs and adds a full list of HTML entities.

What exactly is the vulnerability that you have found? Maybe we can fix it.
When I install it with npm I get found 0 vulnerabilities.

Answer 2 · 2023-03-16T09:54:30.000Z

It was picked up by sonar for us, the vulnerability is: CVE-2022-37616

Answer 3 · 2023-04-07T16:09:48.000Z

I've just made a new beta release and push speech-rule-engine@4.1.0-beta.3 to npm.
It's version of xmldom-sre is now based on the new fork from @xmldom/xmldom, which should take care of the security vulnerability. Have a look whether this works for you.

Answer 4 · 2023-04-08T10:36:21.000Z

Thank you so much I'll try pull it in after the easter weekend!