You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Just echoing the Dependabot warning that we had on our repo:
Dependabot cannot update xml2js to a non-vulnerable version
The latest possible version that can be installed is 0.4.23 because of the following conflicting dependencies:
@bbc/nightwatch-vrt@2.0.0 requires xml2js@^0.4.5 via a transitive dependency on parse-bmfont-xml@1.1.4
No patched version available for xml2js
The earliest fixed version is 0.5.0.
xml2js versions before 0.5.0 allows an external attacker to edit or add new properties to an object. This is possible because the application does not properly validate incoming JSON keys, thus allowing the proto property to be edited.
Temporary solution
Add the following to your package.json
"overrides": {
"xml2js": "0.5.0"
}
The text was updated successfully, but these errors were encountered:
Just echoing the Dependabot warning that we had on our repo:
Dependabot cannot update xml2js to a non-vulnerable version
The latest possible version that can be installed is 0.4.23 because of the following conflicting dependencies:
@bbc/nightwatch-vrt@2.0.0 requires xml2js@^0.4.5 via a transitive dependency on parse-bmfont-xml@1.1.4
No patched version available for xml2js
The earliest fixed version is 0.5.0.
Temporary solution
Add the following to your package.json
The text was updated successfully, but these errors were encountered: