Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

npm audit failes with 5 vulnerabilities (4 low, 1 moderate) #63

Closed
pklaes opened this issue Jan 31, 2022 · 4 comments · Fixed by #64
Closed

npm audit failes with 5 vulnerabilities (4 low, 1 moderate) #63

pklaes opened this issue Jan 31, 2022 · 4 comments · Fixed by #64

Comments

@pklaes
Copy link
Contributor

pklaes commented Jan 31, 2022

This plugin references outdated libraries with vulnerabilities. They can be listeted with

npm audit cordova-plugin-localization-strings

which gives the audit report below. I'll have a look at it and try to update the references.

# npm audit report

xmldom  *
Severity: moderate
Misinterpretation of malicious XML input - https://github.com/advisories/GHSA-h6q6-9hqw-rwfv
Misinterpretation of malicious XML input - https://github.com/advisories/GHSA-5fg8-2547-mr8q
fix available via `npm audit fix --force`
Will install cordova-plugin-localization-strings@2.0.0, which is a breaking change
node_modules/xmldom
  cordova-plugin-localization-strings  *
  Depends on vulnerable versions of xcode
  Depends on vulnerable versions of xmldom
  node_modules/cordova-plugin-localization-strings
  plist  0.3.2 - 3.0.1
  Depends on vulnerable versions of xmldom
  node_modules/simple-plist/node_modules/plist
    simple-plist  <=0.3.0
    Depends on vulnerable versions of plist
    node_modules/simple-plist
      xcode  0.8.3 - 1.1.0
      Depends on vulnerable versions of simple-plist
      node_modules/xcode

5 vulnerabilities (4 low, 1 moderate)
@pklaes pklaes changed the title npm audit failes with 5 vilnerabilities (4 low, 1 moderate) npm audit failes with 5 vulnerabilities (4 low, 1 moderate) Jan 31, 2022
@rodrigograca31
Copy link
Collaborator

indeed theres lots of outdated dependencies....
I would bump them all but theres major versions involved and I dont have the time to test it.....
image

If anyone knows how to do those pre releases things on github/npm let me know...
Maybe I just need to change package.json to 4.0.0-pre ? 🤔
That would allow me to bump everything and pray it worked and people could report problems....?

@pklaes
Copy link
Contributor Author

pklaes commented Jan 31, 2022

You also should change xmldom to @xmldom/xmldom@0.8.0 (See https://www.npmjs.com/package/@xmldom/xmldom).

I just did a fork and am now testing on it, will report back.

@ath0mas ath0mas mentioned this issue Jan 31, 2022
Merged
@rodrigograca31
Copy link
Collaborator

You also should change xmldom to @xmldom/xmldom@0.8.0 (See https://www.npmjs.com/package/@xmldom/xmldom).

I just did a fork and am now testing on it, will report back.

good point!
btw theres already a fork and pull request linked above that already does all that.
and it will be merged and published to npm as soon as I solve an issue with my account....

@pklaes
Copy link
Contributor Author

pklaes commented Feb 1, 2022

Yeah, ath0mas beat me to it with his pull request, i'll switch to his version. On android it looks good so far, wont get around testing with iOS for another few days.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Dependencies and format ath0mas/cordova-plugin-localization-strings
2 participants
@rodrigograca31 @pklaes