Skip to content
This repository has been archived by the owner on Jan 18, 2024. It is now read-only.

[plist] Update xmldom for security reasons #4571

Merged
merged 1 commit into from Oct 28, 2022
Merged

[plist] Update xmldom for security reasons #4571

merged 1 commit into from Oct 28, 2022

Conversation

mfulton26
Copy link
Contributor

@mfulton26 mfulton26 commented Oct 19, 2022
edited

Why

Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') in @xmldom/xmldom and xmldom · CVE-2022-37616 · GitHub Advisory Database

Fixes #4569

How

@xmldom/xmldom has already been patched:

fix: Avoid iterating over prototype properties by karfau · Pull Request #437 · xmldom/xmldom

newer versions exist but this is the latest patch version and there shouldn't be any breaking changes

Test Plan

yarn build and yarn test

@mfulton26
[plist] Update xmldom for security reasons
a1c1ca2 
[Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') in @xmldom/xmldom and xmldom · CVE-2022-37616 · GitHub Advisory Database](GHSA-9pgh-qqpf-7wqj)

`@xmldom/xmldom` has already been patched:

[fix: Avoid iterating over prototype properties by karfau · Pull Request expo#437 · xmldom/xmldom](xmldom/xmldom#437)

newer versions exist but this is the latest patch version and there shoudln't be any breaking changes

`yarn build` and `yarn test`
@EvanBacon EvanBacon merged commit 68fdef1 into expo:main Oct 28, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@EvanBacon EvanBacon EvanBacon approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

@expo/plist latest version 0.0.18 is dependent on a potential security vulnerable version of xmldom
2 participants
@mfulton26 @EvanBacon