Update xml2js to 0.5 to solve CVE-2023-0842
diego-santacruz opened this issue · 2 comments
diego-santacruz commented
chai-xml currently uses xml2js ^0.4.23 but versions < 0.5 have a prototype pollution vulnerability as described in GHSA-776f-qx25-q3cc
From what I could see in https://github.com/Leonidas-from-XIV/node-xml2js there seems to be no breaking changes in xml2js 5.0.0, so fixing the issue should be a simple matter.
michael-lloyd-morris commented
Cucumber-JS uses this library and all tests passed after I applied an override.
krampstudio commented
Thanks for reporting. It should be fixed with v0.4.1