vulnerability in jsonld

[scenaristeur]

hi, my last npm update show me a dependency vulnerability on jsonld

"@ldflex/rdflib": "^1.0.0",
"@solid/query-ldflex": "^2.11.3",

(last version of "jsonld" is "version": "5.2.1-0")

xmldom  <0.5.0
Misinterpretation of malicious XML input - https://npmjs.com/advisories/1650
No fix available
node_modules/jsonld/node_modules/xmldom
node_modules/rdflib/node_modules/xmldom
  jsonld  0.0.59 - 3.3.2
  Depends on vulnerable versions of xmldom
  node_modules/jsonld
    rdflib  >=0.2.1
    Depends on vulnerable versions of jsonld
    Depends on vulnerable versions of xmldom
    node_modules/rdflib
      @ldflex/rdflib  *
      Depends on vulnerable versions of rdflib
      node_modules/@ldflex/rdflib

[karfau]

I'm not sure if I'm reading this "stacktrace" properly, but at least some part of it is beause of the xmldom dependency of this project.

And there is actually a fix avaliable: switching to the new scoped package name @xmldom/xmldom which the maintainers were forced to use since 0.7.0 (which fixes the mentioned vulnerability.

I'm one of the maintainers and I'm going to provide a PR for that upgrade.