npm xmldom git dependabot security fix needs patched version 0.7.0 but unable to find it and also tied with npm @xmldom/xmldom, kindly help me

[dharan2022]

npm xmldom git dependabot security fix needs patched version 0.7.0 but unable to find it and also tied with npm @xmldom/xmldom, kindly help me

[karfau]

xmldom only has versions up to 0.6.0, all of them have security fixes.
@xmldom/xmldom starts at 0.7.0 but the highest 0.7.x version is 0.7.5, the next version after that is 0.8.0 with some breaking changes that most likely do not affect you, the most recent version is 0.8.2 as of writing.

If you need support in updating, point us to your repo. We are happy to try and find the latest version that doesn't break anything.

[dharan2022]

hi thankyou for your reply i would like to add few more points like currently i have two number of dependabod alert boh of them is regarding xmldom(NPM) package as "Misinterpretation of malicious XML input " at one alert it shows 0.5.0 as patched version and other one shows 0.7.0 as patched version, kindly help me further on this.

[karfau]

The only new information I found is that you have a version < 0.5.0 installed.
For more details why 0.7.0 has been published as @xmldom/xmldom instead of xmldom is in #271

because of that, what you need to do is

npm remove xmldom
npm install @xmldom/xmldom

or if you are using yarn

yarn remove xmldom
yarn add @xmldom/xmldom

and in your codebase change all occurrences of xmldom to @xmldom/xmldom.

And I will repeat my offer: If you can provide a link/access to the repository in question (doesn't have to be on github), I will gladly help with the upgrade.

I will close the issue now since it's not about problem of this library.
Feel free to continue the conversation as needed.

[dharan2022]

I have created an sample application with same vulnerability please do check the below repository

https://github.com/dharan2022/bdharan.git

[karfau]

As I said I'm going to help you (within the next 3 days), but please stop creating new issues for the same topic!

PS: It would of course also be helpful if you try to do what I suggested (npm/yarn commands) and report back what the error is if there is any.

[karfau]

@dharan2022
There are the following issues with your sample project:

1. It has both xmldom (v0.6.0) and @xmldom/xmldom (v0.8.2) package installed. To fix that run npm rm xmldom. This should already get rid of the security alerts.

2. You installed @xmldom/xmldom from github, which means different people checking out the project get different versions, since it will fetch the default branch and create a package locally and cache it. To fix that, replace the value "github:xmldom/xmldom" with "0.8.2" in the package.json and run npm i to update the package-lock.json file.

3. The source code in your project is not using / requiring any xmldom code.
   I assume your real code does, to fix the problems you get after the fix suggested in step 1, search in your source code for "xmldom" or 'xmldom' and replace xmldom with @xmldom/xmldom

Ps: I just gave you a more detailed step by step instruction of what I already wrote above. If you are not able to apply these step, you need to get help from somebody else to support you.

[dharan2022]

the actual project package lock file xmldom as an child depedencies of other like for example canvg etc...

[karfau]

I tried to install canvg into a local project but it doesn't have xmldom as a transitive dependency, at least not in the latest version.

Can you please provide the output of the following command: npm ls xmldom, so we can find out exactly which dependency/dependencies has/have the outdated version?
(Please put it in triple backticks ``` so it renders as a code block)

I have filed update PRs to open source repos successfully in the past, if it's open source I should be able to help them upgrade. Of course that doesn't mean they are willing or able to merge it.