Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

xmldom-sre vulnerability #702

Open
Ancient-Dragon opened this issue Mar 10, 2023 · 4 comments
Open

xmldom-sre vulnerability #702

Ancient-Dragon opened this issue Mar 10, 2023 · 4 comments
Milestone
4.1

Comments

@Ancient-Dragon
Copy link

Hi there,

We're trying to bring in this package but because of a vulnerability in xmldom-sre we are unable to. It also looks like this package isn't maintained would it be possible to switch it out?

Thanks!
@zorkow
Copy link
Member

zorkow commented Mar 15, 2023

xmldom-sre is speech rule engine's own fork of xmldom, which is no longer maintained. The main difference is that it fixes a couple of bugs and adds a full list of HTML entities.

What exactly is the vulnerability that you have found? Maybe we can fix it.
When I install it with npm I get found 0 vulnerabilities.

@Ancient-Dragon
Copy link
Author

It was picked up by sonar for us, the vulnerability is: CVE-2022-37616

zorkow added a commit to Speech-Rule-Engine/xmldom that referenced this issue Mar 30, 2023
@zorkow
Update xmldom-sre to fix security issue Speech-Rule-Engine/speech-rul…
a5de617 
…e-engine#702
zorkow added a commit that referenced this issue Mar 30, 2023
@zorkow
Updates xmldom-sre to fix issue #702.
67d628a
@zorkow zorkow added this to the 4.1 milestone Apr 4, 2023
@zorkow
Copy link
Member

zorkow commented Apr 7, 2023

I've just made a new beta release and push speech-rule-engine@4.1.0-beta.3 to npm.
It's version of xmldom-sre is now based on the new fork from @xmldom/xmldom, which should take care of the security vulnerability. Have a look whether this works for you.

@Ancient-Dragon
Copy link
Author

Thank you so much I'll try pull it in after the easter weekend!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
4.1
Development

No branches or pull requests
2 participants
@zorkow @Ancient-Dragon