Update xml2js to 0.5 to solve CVE-2023-0842

Question

diego-santacruz opened this issue a year ago · 2 comments

chai-xml currently uses xml2js ^0.4.23 but versions < 0.5 have a prototype pollution vulnerability as described in GHSA-776f-qx25-q3cc

From what I could see in https://github.com/Leonidas-from-XIV/node-xml2js there seems to be no breaking changes in xml2js 5.0.0, so fixing the issue should be a simple matter.

Answer 1 · 2023-04-19T15:44:53.000Z

Cucumber-JS uses this library and all tests passed after I applied an override.

Answer 2 · 2023-04-19T17:03:02.000Z

Thanks for reporting. It should be fixed with v0.4.1