New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
npm xmldom git dependabot security fix needs patched version 0.7.0 but unable to find it and also tied with npm @xmldom/xmldom, kindly help me #427
Comments
If you need support in updating, point us to your repo. We are happy to try and find the latest version that doesn't break anything. |
hi thankyou for your reply i would like to add few more points like currently i have two number of dependabod alert boh of them is regarding xmldom(NPM) package as "Misinterpretation of malicious XML input " at one alert it shows 0.5.0 as patched version and other one shows 0.7.0 as patched version, kindly help me further on this. |
The only new information I found is that you have a version < 0.5.0 installed. because of that, what you need to do is
or if you are using
and in your codebase change all occurrences of And I will repeat my offer: If you can provide a link/access to the repository in question (doesn't have to be on github), I will gladly help with the upgrade. I will close the issue now since it's not about problem of this library. |
I have created an sample application with same vulnerability please do check the below repository |
As I said I'm going to help you (within the next 3 days), but please stop creating new issues for the same topic! PS: It would of course also be helpful if you try to do what I suggested (npm/yarn commands) and report back what the error is if there is any. |
@dharan2022
Ps: I just gave you a more detailed step by step instruction of what I already wrote above. If you are not able to apply these step, you need to get help from somebody else to support you. |
the actual project package lock file xmldom as an child depedencies of other like for example canvg etc... |
I tried to install canvg into a local project but it doesn't have xmldom as a transitive dependency, at least not in the latest version. Can you please provide the output of the following command: I have filed update PRs to open source repos successfully in the past, if it's open source I should be able to help them upgrade. Of course that doesn't mean they are willing or able to merge it. |
npm xmldom git dependabot security fix needs patched version 0.7.0 but unable to find it and also tied with npm @xmldom/xmldom, kindly help me
The text was updated successfully, but these errors were encountered: