xml2js is vulnerable to prototype pollution
avelino opened this issue · 0 comments
avelino commented
Dependabot cannot update xml2js to a non-vulnerable version
The latest possible version that can be installed is 0.4.23 because of the following conflicting dependencies:
vsce@2.7.0 requires xml2js@^0.4.23
No patched version available for xml2js
The earliest fixed version is 0.5.0.
proxy | 2023/06/17 23:48:01 proxy starting, commit: e11a9091e6d61fc45afc46a500c4b9a417032297
proxy | 2023/06/17 23:48:01 Listening (:1080)
updater | 2023-06-17T23:48:01.561619039 [679878718:main:WARN:src/devices/src/legacy/serial.rs:222] Detached the serial input due to peer close/error.
updater | time="2023-06-17T23:48:03Z" level=info msg="guest starting" commit=46321cdb8407cc5cd7b86abb8137007376af9f3a
updater | time="2023-06-17T23:48:03Z" level=info msg="starting job..." fetcher_timeout=10m0s job_id=679878718 updater_timeout=45m0s updater_version=af07742f8073e676c33f24cfdb3703ca7725d25f-npm
updater | 2023/06/17 23:48:04 INFO Raven 3.1.2 ready to catch errors
updater | 2023/06/17 23:48:05 INFO <job_679878718> Starting job processing
proxy | 2023/06/17 23:48:05 [002] GET https://github.com:443/avelino/monotropic-theme-vscode/info/refs?service=git-upload-pack
proxy | 2023/06/17 23:48:05 [002] * authenticating git server request (host: github.com)
proxy | 2023/06/17 23:48:06 [002] 200 https://github.com:443/avelino/monotropic-theme-vscode/info/refs?service=git-upload-pack
proxy | 2023/06/17 23:48:06 [004] POST https://github.com:443/avelino/monotropic-theme-vscode/git-upload-pack
proxy | 2023/06/17 23:48:06 [004] * authenticating git server request (host: github.com)
proxy | 2023/06/17 23:48:06 [004] 200 https://github.com:443/avelino/monotropic-theme-vscode/git-upload-pack
proxy | 2023/06/17 23:48:06 [006] POST https://github.com:443/avelino/monotropic-theme-vscode/git-upload-pack
proxy | 2023/06/17 23:48:06 [006] * authenticating git server request (host: github.com)
proxy | 2023/06/17 23:48:06 [006] 200 https://github.com:443/avelino/monotropic-theme-vscode/git-upload-pack
updater | 2023/06/17 23:48:06 INFO <job_679878718> Finished job processing
updater | time="2023-06-17T23:48:06Z" level=info msg="task complete" container_id=job-679878718-file-fetcher exit_code=0 job_id=679878718 step=fetcher
updater | 2023/06/17 23:48:07 INFO Raven 3.1.2 ready to catch errors
updater | 2023/06/17 23:48:08 INFO <job_679878718> Starting job processing
updater | 2023/06/17 23:48:08 INFO <job_679878718> Starting update job for avelino/monotropic-theme-vscode
updater | 2023/06/17 23:48:08 INFO <job_679878718> Checking if xml2js 0.4.23 needs updating
proxy | 2023/06/17 23:48:08 [014] GET https://registry.npmjs.org:443/xml2js
proxy | 2023/06/17 23:48:08 [014] 200 https://registry.npmjs.org:443/xml2js
proxy | 2023/06/17 23:48:08 [016] GET https://registry.npmjs.org:443/xml2js/0.6.0
proxy | 2023/06/17 23:48:08 [016] 200 https://registry.npmjs.org:443/xml2js/0.6.0
updater | 2023/06/17 23:48:08 INFO <job_679878718> Latest version is 0.6.0
proxy | 2023/06/17 23:48:08 [018] GET https://registry.npmjs.org:443/monotropic-theme
proxy | 2023/06/17 23:48:09 [018] 404 https://registry.npmjs.org:443/monotropic-theme
proxy | 2023/06/17 23:48:10 [020] GET https://registry.npmjs.org:443/xml2js
proxy | 2023/06/17 23:48:10 [020] 200 https://registry.npmjs.org:443/xml2js
updater | 2023/06/17 23:48:10 INFO <job_679878718> VulnerabilityAuditor: starting audit
proxy | 2023/06/17 23:48:11 [022] GET https://registry.npmjs.org:443/vsce
proxy | 2023/06/17 23:48:11 [022] 200 https://registry.npmjs.org:443/vsce
proxy | 2023/06/17 23:48:12 [028] GET https://registry.npmjs.org:443/denodeify
proxy | 2023/06/17 23:48:12 [029] GET https://registry.npmjs.org:443/markdown-it
proxy | 2023/06/17 23:48:12 [030] GET https://registry.npmjs.org:443/lodash
proxy | 2023/06/17 23:48:12 [031] GET https://registry.npmjs.org:443/url-join
proxy | 2023/06/17 23:48:12 [032] GET https://registry.npmjs.org:443/osenv
proxy | 2023/06/17 23:48:12 [029] 200 https://registry.npmjs.org:443/markdown-it
proxy | 2023/06/17 23:48:12 [030] 200 https://registry.npmjs.org:443/lodash
proxy | 2023/06/17 23:48:12 [031] 200 https://registry.npmjs.org:443/url-join
proxy | 2023/06/17 23:48:12 [028] 200 https://registry.npmjs.org:443/denodeify
proxy | 2023/06/17 23:48:12 [032] 200 https://registry.npmjs.org:443/osenv
proxy | 2023/06/17 23:48:12 [040] GET https://registry.npmjs.org:443/argparse
proxy | 2023/06/17 23:48:12 [041] GET https://registry.npmjs.org:443/linkify-it
proxy | 2023/06/17 23:48:12 [042] GET https://registry.npmjs.org:443/entities
proxy | 2023/06/17 23:48:12 [043] GET https://registry.npmjs.org:443/os-homedir
proxy | 2023/06/17 23:48:12 [044] GET https://registry.npmjs.org:443/mdurl
proxy | 2023/06/17 23:48:12 [045] GET https://registry.npmjs.org:443/uc.micro
proxy | 2023/06/17 23:48:12 [046] GET https://registry.npmjs.org:443/os-tmpdir
proxy | 2023/06/17 23:48:12 [041] 200 https://registry.npmjs.org:443/linkify-it
proxy | 2023/06/17 23:48:12 [042] 200 https://registry.npmjs.org:443/entities
proxy | 2023/06/17 23:48:12 [040] 200 https://registry.npmjs.org:443/argparse
proxy | 2023/06/17 23:48:12 [045] 200 https://registry.npmjs.org:443/uc.micro
proxy | 2023/06/17 23:48:12 [046] 200 https://registry.npmjs.org:443/os-tmpdir
proxy | 2023/06/17 23:48:12 [044] 200 https://registry.npmjs.org:443/mdurl
proxy | 2023/06/17 23:48:12 [043] 200 https://registry.npmjs.org:443/os-homedir
proxy | 2023/06/17 23:48:12 [048] GET https://registry.npmjs.org:443/sprintf-js
proxy | 2023/06/17 23:48:12 [048] 200 https://registry.npmjs.org:443/sprintf-js
updater | 2023/06/17 23:48:12 INFO <job_679878718> VulnerabilityAuditor: audit result not viable: downgrades_dependencies
updater | 2023/06/17 23:48:12 INFO <job_679878718> Requirements to unlock update_not_possible
proxy | 2023/06/17 23:48:12 [050] GET https://registry.npmjs.org:443/monotropic-theme
proxy | 2023/06/17 23:48:12 [050] 404 https://registry.npmjs.org:443/monotropic-theme
updater | 2023/06/17 23:48:12 INFO <job_679878718> Requirements update strategy bump_versions
proxy | 2023/06/17 23:48:12 [052] GET https://registry.npmjs.org:443/xml2js/0.5.0
proxy | 2023/06/17 23:48:12 [052] 200 https://registry.npmjs.org:443/xml2js/0.5.0
updater | 2023/06/17 23:48:13 INFO <job_679878718> The latest possible version that can be installed is 0.4.23 because of the following conflicting dependencies:
updater |
updater | vsce@2.7.0 requires xml2js@^0.4.23
updater | No patched version available for xml2js
updater | 2023/06/17 23:48:13 INFO <job_679878718> The earliest fixed version is 0.5.0.
updater | 2023/06/17 23:48:13 INFO <job_679878718> Finished job processing
updater | 2023/06/17 23:48:13 INFO Results:
updater | Dependabot encountered '1' error(s) during execution, please check the logs for more details.
updater | +------------------------------+
updater | | Errors |
updater | +------------------------------+
updater | | security_update_not_possible |
updater | +------------------------------+
updater | time="2023-06-17T23:48:13Z" level=info msg="task complete" container_id=job-679878718-updater exit_code=0 job_id=679878718 step=updater