fix: upgrade xml2js to 0.6.2 (CVE-2023-0842) with security tests#615
Conversation
The following vulnerabilities are fixed with an upgrade: - https://snyk.io/vuln/SNYK-JS-XML2JS-5414874
|
Any one process it? |
There was a problem hiding this comment.
Pull request overview
This PR aims to remediate Snyk-reported prototype pollution in xml2js by upgrading the dependency from 0.4.23 to 0.5.0 in the project’s npm dependencies.
Changes:
- Updates
xml2jsversion range inpackage.jsonto^0.5.0. - (Intended) updates
package-lock.jsonto resolvexml2jsto a non-vulnerable version, though the current lockfile content still pinsxml2js@0.4.23.
Reviewed changes
Copilot reviewed 1 out of 1 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
| package.json | Bumps xml2js dependency range to ^0.5.0. |
| package-lock.json | Should reflect the resolved upgrade; currently appears to still lock xml2js to 0.4.23, so the remediation may not take effect. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Pin xml2js@0.6.2 and regenerate package-lock.json to remediate CVE-2023-0842 (SNYK-JS-XML2JS-5414874). Add explicit unit tests that document the defineProperty/null-prototype descriptor guard and verify getGlyphsData does not pollute Object.prototype when parsing SVG with __proto__ elements. Supersedes the incomplete Snyk bump to ^0.5.0 (lockfile was untouched). Co-authored-by: Cursor <cursoragent@cursor.com>
|
@JacksonTian Yes — picking this up now on this same PR. The original Snyk commit only bumped
|
|
Updated this branch (same PR — no superseding PR needed):
Copilot review note addressed: the original Snyk diff did not update the lockfile; this branch does. |
Summary
Proposed changes
This PR remediates prototype pollution in
xml2js(CVE-2023-0842 / SNYK-JS-XML2JS-5414874) used bygetGlyphsDatato validate SVG input.xml2js@0.6.2(exact version) and regeneratepackage-lock.json.proto-element.svgfixture and unit tests inglyphsData.test.tsthat document and enforce the security fix:xml2js >= 0.5.0(defineProperty instead ofobj[key]assignment);PropertyDescriptorpattern from the upstream fix;__proto__XML elements are stored as own properties without pollutingObject.prototype;getGlyphsDatadoes not pollute when parsing malicious SVG and when rejecting malformed XML.Note: The original Snyk commit only changed
package.jsonto^0.5.0and did not update the lockfile. This branch merges currentmaster, pins0.6.2, and adds explicit security tests (141 tests pass).Related issue
N/A
Dependencies added/removed (if applicable)
xml2js0.4.23→0.6.2(direct dependency)Testing
glyphsData.test.tsprototype pollution hardening (describe("prototype pollution hardening (CVE-2023-0842 / SNYK-JS-XML2JS-5414874)"))svg xml validation via xml2jssuitenpm test(141 tests)How to test
npm test— all 141 tests should pass.npm audit—xml2jsshould no longer be reported as vulnerable.src/standalone/glyphsData.test.ts— security tests document why the empty-file guard andxml2js >= 0.5.0are required.Test configuration
N/A
Checklist