Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CVE @xmldom/xmldom <0.8.3 #7958

Closed
Shinigami92 opened this issue Oct 13, 2022 · 2 comments · Fixed by #8010
Closed

CVE @xmldom/xmldom <0.8.3 #7958

Shinigami92 opened this issue Oct 13, 2022 · 2 comments · Fixed by #8010
Labels
bug

Comments

@Shinigami92
Copy link

Description

@xmldom/xmldom has reported a CVE which results in a (successfully) failing audit pipeline in our GitLab

Reduced test case

GHSA-9pgh-qqpf-7wqj

Steps to reproduce

  1. Install video.js and/or @videojs/http-streaming
  2. Run e.g. pnpm audit
  3. Profit $$$

Errors

No response

What version of Video.js are you using?

7.20.3

Video.js plugins used.

@videojs/http-streaming

What browser(s) including version(s) does this occur with?

🤷

What OS(es) and version(s) does this occur with?

MacOS
@Shinigami92 Shinigami92 added bug needs: triage This issue needs to be reviewed labels Oct 13, 2022
@welcome
Copy link

welcome bot commented Oct 13, 2022

👋 Thanks for opening your first issue here! 👋

If you're reporting a 🐞 bug, please make sure you include steps to reproduce it. We get a lot of issues on this repo, so please be patient and we will get back to you as soon as we can.
To help make it easier for us to investigate your issue, please follow the contributing guidelines.

@mister-ben mister-ben mentioned this issue Oct 17, 2022
Closed
@KJLJon
Copy link

KJLJon commented Oct 27, 2022

It looks like @xmldom/xmldom has backported the fix and released 0.7.6 (see GHSA-9pgh-qqpf-7wqj).

Looking at the package-lock.json, it looks like the reason it is installed is because of mpd-parser. Since mpd-parser requires "@xmldom/xmldom": "^0.7.2", all that is needed is to do a npm update and you should have the latest package with the fixed version.

FYI: it looks like the CVE-2022-37616 hasn't been updated to include the 0.7.6 patched version, but the GHSA-9pgh-qqpf-7wqj has. Here is the PR for 0.7.x branch fix.

gkatsev added a commit that referenced this issue Nov 21, 2022
@gkatsev
fix: update @videojs/http-streaming to 2.15.1
55843b6 
Fixes #7998, fixes #7958.
@gkatsev gkatsev mentioned this issue Nov 21, 2022
Merged
gkatsev added a commit that referenced this issue Nov 21, 2022
@gkatsev
fix: update @videojs/http-streaming to 2.15.1 (#8010)
1c2be96 
Fixes #7998, fixes #7958.
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Jan 23, 2023
@misteroneill misteroneill removed the needs: triage This issue needs to be reviewed label Mar 28, 2023
edirub pushed a commit to edirub/video.js that referenced this issue Jun 8, 2023
@gkatsev @edirub
fix: update @videojs/http-streaming to 2.15.1 (videojs#8010)
1c511e1 
Fixes videojs#7998, fixes videojs#7958.
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix: update @videojs/http-streaming to 2.15.1 videojs/video.js
3 participants
@misteroneill @KJLJon @Shinigami92