npm audit issues due to jsonld dependency

[fennibay]

When doing npm install @thing-description-playground/cli I get the message:

found 4 vulnerabilities (2 low, 2 moderate)

All vulnerabilities are on the path @thing-description-playground/core > jsonld > xmldom, and latest jsonld version doesn't have the xmldom dependency. So just updating @thing-description-playground/core to latest jsonld should resolve the problem.

Although this means going from jsonld major version 3 to 5, so there could be breaking changes.

Details below.

                       === npm audit security report ===                        


                                 Manual Review                                  
             Some vulnerabilities require your attention to resolve             
                                                                                
          Visit https://go.npm.me/audit-guide for additional guidance           


  Moderate        Misinterpretation of malicious XML input                      

  Package         xmldom                                                        

  Patched in      >=0.7.0                                                       

  Dependency of   @thing-description-playground/cli                             

  Path            @thing-description-playground/cli >                           
                  @thing-description-playground/core > jsonld > xmldom          

  More info       https://github.com/advisories/GHSA-5fg8-2547-mr8q             


  Moderate        Misinterpretation of malicious XML input                      

  Package         xmldom                                                        

  Patched in      >=0.7.0                                                       

  Dependency of   @thing-description-playground/cli                             

  Path            @thing-description-playground/cli >                           
                  @thing-description-playground/assertions >                    
                  @thing-description-playground/core > jsonld > xmldom          

  More info       https://github.com/advisories/GHSA-5fg8-2547-mr8q             


  Low             Misinterpretation of malicious XML input                      

  Package         xmldom                                                        

  Patched in      >=0.5.0                                                       

  Dependency of   @thing-description-playground/cli                             

  Path            @thing-description-playground/cli >                           
                  @thing-description-playground/core > jsonld > xmldom          

  More info       https://github.com/advisories/GHSA-h6q6-9hqw-rwfv             


  Low             Misinterpretation of malicious XML input                      

  Package         xmldom                                                        

  Patched in      >=0.5.0                                                       

  Dependency of   @thing-description-playground/cli

  Path            @thing-description-playground/cli >
                  @thing-description-playground/assertions >
                  @thing-description-playground/core > jsonld > xmldom

  More info       https://github.com/advisories/GHSA-h6q6-9hqw-rwfv

found 4 vulnerabilities (2 low, 2 moderate) in 141 scanned packages
  4 vulnerabilities require manual review. See the full report for details.

[egekorkan]

So I have started to look at this at https://github.com/thingweb/thingweb-playground/tree/bump-jsonld . There is some weird behavior that I do not understand. Running an example script does not fail anywhere but running a test (from jest) fails at json-ld step.

[fatadel]

@fennibay @egekorkan

I've noticed only now, but all aforementioned vulnerability issues were closed in #336 and #339 🥳 Apparently, that happened after I updated jsonld from version 3 to version 4 - I don't why @fennibay said to update to version 5 as xmldom was removed in version 4.
However, we cannot update jsonld to versions >=5 because of the following issue - digitalbazaar/jsonld.js#451.