You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
When doing npm install @thing-description-playground/cli I get the message:
found 4 vulnerabilities (2 low, 2 moderate)
All vulnerabilities are on the path @thing-description-playground/core > jsonld > xmldom, and latest jsonld version doesn't have the xmldom dependency. So just updating @thing-description-playground/core to latest jsonld should resolve the problem.
Although this means going from jsonld major version 3 to 5, so there could be breaking changes.
Details below.
=== npm audit security report ===
Manual Review
Some vulnerabilities require your attention to resolve
Visit https://go.npm.me/audit-guide for additional guidance
Moderate Misinterpretation of malicious XML input
Package xmldom
Patched in >=0.7.0
Dependency of @thing-description-playground/cli
Path @thing-description-playground/cli >
@thing-description-playground/core > jsonld > xmldom
More info https://github.com/advisories/GHSA-5fg8-2547-mr8q
Moderate Misinterpretation of malicious XML input
Package xmldom
Patched in >=0.7.0
Dependency of @thing-description-playground/cli
Path @thing-description-playground/cli >
@thing-description-playground/assertions >
@thing-description-playground/core > jsonld > xmldom
More info https://github.com/advisories/GHSA-5fg8-2547-mr8q
Low Misinterpretation of malicious XML input
Package xmldom
Patched in >=0.5.0
Dependency of @thing-description-playground/cli
Path @thing-description-playground/cli >
@thing-description-playground/core > jsonld > xmldom
More info https://github.com/advisories/GHSA-h6q6-9hqw-rwfv
Low Misinterpretation of malicious XML input
Package xmldom
Patched in >=0.5.0
Dependency of @thing-description-playground/cli
Path @thing-description-playground/cli >
@thing-description-playground/assertions >
@thing-description-playground/core > jsonld > xmldom
More info https://github.com/advisories/GHSA-h6q6-9hqw-rwfv
found 4 vulnerabilities (2 low, 2 moderate) in 141 scanned packages
4 vulnerabilities require manual review. See the full report for details.
The text was updated successfully, but these errors were encountered:
So I have started to look at this at https://github.com/thingweb/thingweb-playground/tree/bump-jsonld . There is some weird behavior that I do not understand. Running an example script does not fail anywhere but running a test (from jest) fails at json-ld step.
I've noticed only now, but all aforementioned vulnerability issues were closed in #336 and #339 🥳 Apparently, that happened after I updated jsonld from version 3 to version 4 - I don't why @fennibay said to update to version 5 as xmldom was removed in version 4.
However, we cannot update jsonld to versions >=5 because of the following issue - digitalbazaar/jsonld.js#451.
When doing
npm install @thing-description-playground/cli
I get the message:All vulnerabilities are on the path @thing-description-playground/core > jsonld > xmldom, and latest jsonld version doesn't have the xmldom dependency. So just updating @thing-description-playground/core to latest jsonld should resolve the problem.
Although this means going from jsonld major version 3 to 5, so there could be breaking changes.
Details below.
The text was updated successfully, but these errors were encountered: