From b86ffdfc8ac6e8cef88de07cae7b68a2c1eb3818 Mon Sep 17 00:00:00 2001 From: Christian Bewernitz Date: Sat, 25 Dec 2021 11:54:05 +0100 Subject: [PATCH 1/2] Upgrades dependency xmldom Switching from package `xmldom` to `@xmldom/xmldom`, which resolves the security issue present in latest xmldom version 0.6.0: https://github.com/xmldom/xmldom/security/advisories/GHSA-5fg8-2547-mr8q The reason is that the maintainers were forced to switch to a scoped package since 0.7.0: https://github.com/xmldom/xmldom/issues/271 - The reference to `@types/xmldom` can be dropped, since xmldom now comes with types as part of the package. - I used node 16 to run `npm install` which updated the npm-shrinkwrap.json. - I didn't attempt to run the project on my machine, but I'm hoping for the CI checks to cover the important things. - The package `adaptive-expressions` has a dependency to `@xmldom/xmldom@0.7.5`, so if you prefer I can also change the PR to point to that version in the package.json. I didn't find any tools that support this project in keeping dependencies up to date, so I'm not sure which way you would prefer. I'm one of the xmldom maintainers. Don't hesitate to ask me questions. --- npm-shrinkwrap.json | 45 +++++++++++++------------ package.json | 3 +- src/m365/pa/cds-project-mutator.spec.ts | 2 +- src/m365/pa/cds-project-mutator.ts | 4 +-- 4 files changed, 27 insertions(+), 27 deletions(-) diff --git a/npm-shrinkwrap.json b/npm-shrinkwrap.json index a4efafe0826..43ff8a9c9b5 100644 --- a/npm-shrinkwrap.json +++ b/npm-shrinkwrap.json @@ -10,6 +10,7 @@ "license": "MIT", "dependencies": { "@azure/msal-node": "^1.4.0", + "@xmldom/xmldom": "^0.8.0", "adaptive-expressions": "^4.15.0", "adaptivecards": "^2.10.0", "adaptivecards-templating": "^2.2.0", @@ -31,8 +32,7 @@ "strip-json-comments": "^3.1.1", "typescript": "^4.5.3", "update-notifier": "^5.1.0", - "uuid": "^8.3.2", - "xmldom": "^0.6.0" + "uuid": "^8.3.2" }, "bin": { "m365": "dist/index.js", @@ -53,7 +53,6 @@ "@types/sinon": "^10.0.6", "@types/update-notifier": "^5.1.0", "@types/uuid": "^8.3.3", - "@types/xmldom": "^0.1.31", "@typescript-eslint/eslint-plugin": "^5.6.0", "@typescript-eslint/parser": "^5.6.0", "c8": "^7.10.0", @@ -869,9 +868,9 @@ "dev": true }, "node_modules/@xmldom/xmldom": { - "version": "0.7.5", - "resolved": "https://registry.npmjs.org/@xmldom/xmldom/-/xmldom-0.7.5.tgz", - "integrity": "sha512-V3BIhmY36fXZ1OtVcI9W+FxQqxVLsPKcNjWigIaa81dLC9IolJl5Mt4Cvhmr0flUnjSpTdrbMTSbXqYqV5dT6A==", + "version": "0.8.0", + "resolved": "https://registry.npmjs.org/@xmldom/xmldom/-/xmldom-0.8.0.tgz", + "integrity": "sha512-7wVnF+rKrVDEo1xjzkkidTG0grclaVnX0vKa0z9JSXcEdtftUJjvU33jLGg6SHyvs3eeqEsI7jZ6NxYfRypEEg==", "engines": { "node": ">=10.0.0" } @@ -944,6 +943,14 @@ "xpath": "^0.0.32" } }, + "node_modules/adaptive-expressions/node_modules/@xmldom/xmldom": { + "version": "0.7.5", + "resolved": "https://registry.npmjs.org/@xmldom/xmldom/-/xmldom-0.7.5.tgz", + "integrity": "sha512-V3BIhmY36fXZ1OtVcI9W+FxQqxVLsPKcNjWigIaa81dLC9IolJl5Mt4Cvhmr0flUnjSpTdrbMTSbXqYqV5dT6A==", + "engines": { + "node": ">=10.0.0" + } + }, "node_modules/adaptivecards": { "version": "2.10.0", "resolved": "https://registry.npmjs.org/adaptivecards/-/adaptivecards-2.10.0.tgz", @@ -6109,14 +6116,6 @@ "resolved": "https://registry.npmjs.org/xmlchars/-/xmlchars-2.2.0.tgz", "integrity": "sha512-JZnDKK8B0RCDw84FNdDAIpZK+JuJw+s7Lz8nksI7SIuU3UXJJslUthsi+uWBUYOwPFwW7W7PRLRfUKpxjtjFCw==" }, - "node_modules/xmldom": { - "version": "0.6.0", - "resolved": "https://registry.npmjs.org/xmldom/-/xmldom-0.6.0.tgz", - "integrity": "sha512-iAcin401y58LckRZ0TkI4k0VSM1Qg0KGSc3i8rU+xrxe19A/BN1zHyVSJY7uoutVlaTSzYyk/v5AmkewAP7jtg==", - "engines": { - "node": ">=10.0.0" - } - }, "node_modules/xpath": { "version": "0.0.32", "resolved": "https://registry.npmjs.org/xpath/-/xpath-0.0.32.tgz", @@ -6842,9 +6841,9 @@ "dev": true }, "@xmldom/xmldom": { - "version": "0.7.5", - "resolved": "https://registry.npmjs.org/@xmldom/xmldom/-/xmldom-0.7.5.tgz", - "integrity": "sha512-V3BIhmY36fXZ1OtVcI9W+FxQqxVLsPKcNjWigIaa81dLC9IolJl5Mt4Cvhmr0flUnjSpTdrbMTSbXqYqV5dT6A==" + "version": "0.8.0", + "resolved": "https://registry.npmjs.org/@xmldom/xmldom/-/xmldom-0.8.0.tgz", + "integrity": "sha512-7wVnF+rKrVDEo1xjzkkidTG0grclaVnX0vKa0z9JSXcEdtftUJjvU33jLGg6SHyvs3eeqEsI7jZ6NxYfRypEEg==" }, "abab": { "version": "2.0.5", @@ -6901,6 +6900,13 @@ "lru-cache": "^5.1.1", "uuid": "^8.3.2", "xpath": "^0.0.32" + }, + "dependencies": { + "@xmldom/xmldom": { + "version": "0.7.5", + "resolved": "https://registry.npmjs.org/@xmldom/xmldom/-/xmldom-0.7.5.tgz", + "integrity": "sha512-V3BIhmY36fXZ1OtVcI9W+FxQqxVLsPKcNjWigIaa81dLC9IolJl5Mt4Cvhmr0flUnjSpTdrbMTSbXqYqV5dT6A==" + } } }, "adaptivecards": { @@ -10840,11 +10846,6 @@ "resolved": "https://registry.npmjs.org/xmlchars/-/xmlchars-2.2.0.tgz", "integrity": "sha512-JZnDKK8B0RCDw84FNdDAIpZK+JuJw+s7Lz8nksI7SIuU3UXJJslUthsi+uWBUYOwPFwW7W7PRLRfUKpxjtjFCw==" }, - "xmldom": { - "version": "0.6.0", - "resolved": "https://registry.npmjs.org/xmldom/-/xmldom-0.6.0.tgz", - "integrity": "sha512-iAcin401y58LckRZ0TkI4k0VSM1Qg0KGSc3i8rU+xrxe19A/BN1zHyVSJY7uoutVlaTSzYyk/v5AmkewAP7jtg==" - }, "xpath": { "version": "0.0.32", "resolved": "https://registry.npmjs.org/xpath/-/xpath-0.0.32.tgz", diff --git a/package.json b/package.json index a4c790666cf..3698bf32077 100644 --- a/package.json +++ b/package.json @@ -193,7 +193,7 @@ "typescript": "^4.5.3", "update-notifier": "^5.1.0", "uuid": "^8.3.2", - "xmldom": "^0.6.0" + "@xmldom/xmldom": "^0.8.0" }, "devDependencies": { "@microsoft/microsoft-graph-types": "^2.10.0", @@ -209,7 +209,6 @@ "@types/sinon": "^10.0.6", "@types/update-notifier": "^5.1.0", "@types/uuid": "^8.3.3", - "@types/xmldom": "^0.1.31", "@typescript-eslint/eslint-plugin": "^5.6.0", "@typescript-eslint/parser": "^5.6.0", "c8": "^7.10.0", diff --git a/src/m365/pa/cds-project-mutator.spec.ts b/src/m365/pa/cds-project-mutator.spec.ts index 3e31f51ecf2..6d7e393c063 100644 --- a/src/m365/pa/cds-project-mutator.spec.ts +++ b/src/m365/pa/cds-project-mutator.spec.ts @@ -1,6 +1,6 @@ import * as assert from 'assert'; import * as path from 'path'; -import { XMLSerializer } from 'xmldom'; +import { XMLSerializer } from '@xmldom/xmldom'; import CdsProjectMutator from './cds-project-mutator'; describe('CdsProjectMutator', () => { diff --git a/src/m365/pa/cds-project-mutator.ts b/src/m365/pa/cds-project-mutator.ts index bf0833b7029..58b57b049db 100644 --- a/src/m365/pa/cds-project-mutator.ts +++ b/src/m365/pa/cds-project-mutator.ts @@ -1,5 +1,5 @@ import * as path from 'path'; -import { DOMParser } from 'xmldom'; +import { DOMParser } from '@xmldom/xmldom'; /* * Logic extracted from bolt.module.solution.dll @@ -102,4 +102,4 @@ export default class CdsProjectMutator { } } } -} \ No newline at end of file +} From 6fbb790b963824e599bbbdb95b678444de0c2f6a Mon Sep 17 00:00:00 2001 From: Christian Bewernitz Date: Wed, 29 Dec 2021 12:16:19 +0100 Subject: [PATCH 2/2] Downgrade xmldom to 0.7.5 due to failing tests https://github.com/pnp/cli-microsoft365/pull/2900#issuecomment-1002218766 --- npm-shrinkwrap.json | 29 +++++++---------------------- package.json | 4 ++-- 2 files changed, 9 insertions(+), 24 deletions(-) diff --git a/npm-shrinkwrap.json b/npm-shrinkwrap.json index 43ff8a9c9b5..22175be1b6e 100644 --- a/npm-shrinkwrap.json +++ b/npm-shrinkwrap.json @@ -10,7 +10,7 @@ "license": "MIT", "dependencies": { "@azure/msal-node": "^1.4.0", - "@xmldom/xmldom": "^0.8.0", + "@xmldom/xmldom": "^0.7.5", "adaptive-expressions": "^4.15.0", "adaptivecards": "^2.10.0", "adaptivecards-templating": "^2.2.0", @@ -868,9 +868,9 @@ "dev": true }, "node_modules/@xmldom/xmldom": { - "version": "0.8.0", - "resolved": "https://registry.npmjs.org/@xmldom/xmldom/-/xmldom-0.8.0.tgz", - "integrity": "sha512-7wVnF+rKrVDEo1xjzkkidTG0grclaVnX0vKa0z9JSXcEdtftUJjvU33jLGg6SHyvs3eeqEsI7jZ6NxYfRypEEg==", + "version": "0.7.5", + "resolved": "https://registry.npmjs.org/@xmldom/xmldom/-/xmldom-0.7.5.tgz", + "integrity": "sha512-V3BIhmY36fXZ1OtVcI9W+FxQqxVLsPKcNjWigIaa81dLC9IolJl5Mt4Cvhmr0flUnjSpTdrbMTSbXqYqV5dT6A==", "engines": { "node": ">=10.0.0" } @@ -943,14 +943,6 @@ "xpath": "^0.0.32" } }, - "node_modules/adaptive-expressions/node_modules/@xmldom/xmldom": { - "version": "0.7.5", - "resolved": "https://registry.npmjs.org/@xmldom/xmldom/-/xmldom-0.7.5.tgz", - "integrity": "sha512-V3BIhmY36fXZ1OtVcI9W+FxQqxVLsPKcNjWigIaa81dLC9IolJl5Mt4Cvhmr0flUnjSpTdrbMTSbXqYqV5dT6A==", - "engines": { - "node": ">=10.0.0" - } - }, "node_modules/adaptivecards": { "version": "2.10.0", "resolved": "https://registry.npmjs.org/adaptivecards/-/adaptivecards-2.10.0.tgz", @@ -6841,9 +6833,9 @@ "dev": true }, "@xmldom/xmldom": { - "version": "0.8.0", - "resolved": "https://registry.npmjs.org/@xmldom/xmldom/-/xmldom-0.8.0.tgz", - "integrity": "sha512-7wVnF+rKrVDEo1xjzkkidTG0grclaVnX0vKa0z9JSXcEdtftUJjvU33jLGg6SHyvs3eeqEsI7jZ6NxYfRypEEg==" + "version": "0.7.5", + "resolved": "https://registry.npmjs.org/@xmldom/xmldom/-/xmldom-0.7.5.tgz", + "integrity": "sha512-V3BIhmY36fXZ1OtVcI9W+FxQqxVLsPKcNjWigIaa81dLC9IolJl5Mt4Cvhmr0flUnjSpTdrbMTSbXqYqV5dT6A==" }, "abab": { "version": "2.0.5", @@ -6900,13 +6892,6 @@ "lru-cache": "^5.1.1", "uuid": "^8.3.2", "xpath": "^0.0.32" - }, - "dependencies": { - "@xmldom/xmldom": { - "version": "0.7.5", - "resolved": "https://registry.npmjs.org/@xmldom/xmldom/-/xmldom-0.7.5.tgz", - "integrity": "sha512-V3BIhmY36fXZ1OtVcI9W+FxQqxVLsPKcNjWigIaa81dLC9IolJl5Mt4Cvhmr0flUnjSpTdrbMTSbXqYqV5dT6A==" - } } }, "adaptivecards": { diff --git a/package.json b/package.json index 3698bf32077..48c74fafe94 100644 --- a/package.json +++ b/package.json @@ -171,6 +171,7 @@ ], "dependencies": { "@azure/msal-node": "^1.4.0", + "@xmldom/xmldom": "^0.7.5", "adaptive-expressions": "^4.15.0", "adaptivecards": "^2.10.0", "adaptivecards-templating": "^2.2.0", @@ -192,8 +193,7 @@ "strip-json-comments": "^3.1.1", "typescript": "^4.5.3", "update-notifier": "^5.1.0", - "uuid": "^8.3.2", - "@xmldom/xmldom": "^0.8.0" + "uuid": "^8.3.2" }, "devDependencies": { "@microsoft/microsoft-graph-types": "^2.10.0",