Skip to content

[Security] now published as @xmldom/xmldom #271

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
karfau opened this issue Jul 28, 2021 · 28 comments
Closed

[Security] now published as @xmldom/xmldom #271

karfau opened this issue Jul 28, 2021 · 28 comments
Assignees
@karfau @brody4hire
Labels
bug Something isn't working documentation Improvements or additions to documentation Security
Milestone
0.7.0

Comments

@karfau
Copy link
Member

karfau commented Jul 28, 2021
edited
Loading

&TLDR;

We published 0.7.0 to npm as @xmldom/xmldom and will continue to publish updates there.
To get the security update, you have to switch the package you use in your package.json.

"quick post-mortem" by @brodybits

Types from DefinitelyTyped are now included as of @xmldom/xmldom version 0.7.1.

Here are some stats regarding packages transitioning from one package to the other:


Image Historical daily/weekly downloads

We are currently not aware of a badge that gives accurate numbers for dependents, data is form the 2025-02-13.
according to npm:

  • @xmldom/xmldom: 766
  • xmldom: 2412
    according to Github:
  • Image

Original Summary

To update the library to the newest version including the latest security fix you will have to install to from the github repo or download the artifact from the github release and install it locally.

For details of how to do that and asking questions please use the related discussion

We have filed a ticket at the npm support team addressing the issue.

We will Post updates about the current status here but lock this issue to only allow additions by maintainers, to allow people to subscribe and get informed when something changes.

Quick background from @brodybits
@karfau karfau added bug Something isn't working awaiting response Maintainers are waiting for information labels Jul 28, 2021
@xmldom xmldom locked and limited conversation to collaborators Jul 28, 2021
@karfau karfau pinned this issue Jul 28, 2021
@karfau karfau changed the title We are currently not able to publish v0.7.0 the xmldom package to the npm registry. We are currently not able to publish v0.7.0 to the npm package registry. Jul 28, 2021
@karfau karfau changed the title We are currently not able to publish v0.7.0 to the npm package registry. We are currently not able to publish v0.7.0 to the npm package registry Jul 28, 2021
@karfau karfau added this to the 0.7.0 milestone Jul 28, 2021
@karfau karfau changed the title We are currently not able to publish v0.7.0 to the npm package registry [Security] We are currently not able to publish v0.7.0 to the npm package registry Jul 29, 2021
@wesleysd1989 wesleysd1989 mentioned this issue Aug 3, 2021
Closed
@andrewspinks andrewspinks mentioned this issue Aug 4, 2021
Closed
This was referenced Aug 5, 2021
Merged
Merged
Merged
Merged
@lucioperca lucioperca mentioned this issue Aug 5, 2021
Closed
@forty forty mentioned this issue Aug 6, 2021
Closed
@karfau
Copy link
Member Author

karfau commented Aug 6, 2021

GitHub (GitHub Support)
Aug 5, 2021, 1:39 PM UTC

Christian,

We are investigating your issue.

Thank you for your patience,
npm engineering

GitHub (GitHub Support)
Aug 5, 2021, 6:25 PM UTC
Hi Christian,

Thanks for reaching out.

We are currently unable to find any documentation or transactions, to confirm the unscoped xmldom package was previously owned by @xmldom org.

Please forward any supporting document or communication for the package ownership. Once received, we'll review your request to transfer the package to xmldom org.

Best.

Judith
GitHub Support

I replied today (6th of August)

Hello Judith,

I just checked npm info for the different xmldom versions:
The members of the npm xmldom org released all versions since 0.1.29.

The last release that was published by the maintainers listed on the npm website (jinjinyun and jindw) was 0.1.27 in November 2016

We documented the transition in our changelog, which is shipped with the packages since 0.3.0 (the linked section since 0.4.0).

Just in case this isn't enough, I Cced Chris Brody so he can reply with some reference of the mail conversation that lead to npm providing access to the package back then, in case it's still available.

Best,
Christian

@vladimiry vladimiry mentioned this issue Aug 6, 2021
Closed
@calcaide calcaide mentioned this issue Aug 6, 2021
Merged
@karfau
Copy link
Member Author

karfau commented Aug 8, 2021
edited by brody4hire
Loading

Just to clarify that there was a misunderstanding from my side, I'm adding here the reply that @brodybits added a day after my response:

Hello I would like to add some context with a correction, adding one of the former publishers in CC.

Back in December 2019 I sent a request to all xmldom package owners at the time with CC to npm support to find a way to get xmldom updated on npm.

In response to my request, Eric Newport AKA kethinov added me to the xmldom package on npm.

I created the xmldom org on GitHub and started publishing updates from this project: https://github.com/xmldom/xmldom

I have also registered xmldom as an org on npm: https://www.npmjs.com/org/xmldom
And I have obtained both xmldom.com and xmldom.org.

Our plan was to keep the xmldom package updated from https://github.com/xmldom/xmldom and consider splitting xmldom into smaller parts in the @xmldom namespace as discussed in this issue: #54

As a next step, I will send a copy of the conversation I had with Eric Newport and npm support to start updating the package back in December 2019.

Chris

From @brodybits - I am quoting below what I sent to npm support to quote the original conversation in I had with Eric Newport to start publishing updates to the xmldom package. I am quoting in plain-text format with someone's last name and all email addresses redacted out for privacy. I am quoting here to keep everything in chronological order, to help with a post-mortem analysis of what happened and why.

From: Chris Brody <xxx@xxx.xxx>
Date: Fri, Aug 6, 2021 at 2:57 PM
Subject: Re: [npm Support] - Access to (publish) xmldom package was
removed from xmldom org
To: karfau <xxx@xxx.xxx>, npm Support <xxx@xxx.xxx>
Cc: Kethinov <xxx@xxx.xxx>


Here is the original conversation where Eric Newport aka @kethinov
added me to the xmldom package.

Please note this clause in the email from Eric Newport:

with all previous contributors and owners welcome to resume
maintenance if they wish to become active again.


Our intention was to work together with the previous owners if they
wanted, NOT for xmldom to become fragmented between GitHub and npm as
it is now.

From: Kethinov <xxx@xxx.xxx>
Date: Thu, Dec 19, 2019 at 3:54 PM
Subject: Re: [npm] Re: Updating xmldom package
To: Chris Brody <xxx@xxx.xxx>
Cc: npm <xxx@xxx.xxx>, <xxx@xxx.xxx>,
<xxx@xxx.xxx>, <xxx@xxx.xxx>


FYI to all, I joined the GitHub organization and added Chris to the
npm package. Given Chris’ interest in maintaining the package. I think
it makes sense to hard fork xmldom and do maintenance from the new
GitHub organization instead, with all previous contributors and owners
welcome to resume maintenance if they wish to become active again.


On Dec 17, 2019, at 4:44 PM, Chris Brody <xxx@xxx.xxx> wrote:

Thanks to npm support for the response. The response did not seem to
include visible copy to any of the existing package owners. I am now
writing back with hopefully all existing owners included.

My npm user name: brodybits (I did already put this user name in the
original email, evidently not clear enough)

I am now waiting for a solution, hopefully from an existing owner, or
from npm support as a last resort. As I said before, I would be happy
with either of the following outcomes:

- existing owner publish an update and keep it in sync on GitHub
- someone grant me publishing rights on npm

I would also like to thank @kethinov for responding. I have now
registered xmldom org on GitHub and invited @kethinov to join as an
owner.

Chris

https://www.linkedin.com/in/chrisbrody/

On Tue, Dec 17, 2019 at 4:12 PM Judith XXX (npm) <xxx@xxx.xxx> wrote:
>
> ##- Please type your reply above this line -##
>
> Your request (75068) has been updated. To add additional comments, reply to this email.
>
> Judith XXX (npm)
>
> Dec 17, 13:12 PST
>
> Hi Chris and @jindw
>
> @ Chris: Thanks for starting this conversation and CC'ing npm support. I'll keep an eye on this discussion and if there isn't any progress in a few weeks, I'll respond directly. Also, provide the npm username that will be used to transfer the package over to you.
>
> @ jindw: We would really appreciate if you would be willing to work with Chris on this issue. If you agree with this request, then you can run npm owner add <chris username> xmldom or you can let me know and I'll be happy to do the work on my end.
>
> If either of you has questions about this process, please let me know, I'll be here to help!
>
> Best.
>
> Judith
> Support Tech
> npm, Inc.
>
>
>
> Chris Brody
>
> Dec 16, 09:33 PST
>
> Or make the hard fork in a new xmldom org, which seems to be not (yet) taken on GitHub.
>
> What should we do?
>
>
> Kethinov
>
> Dec 15, 19:41 PST
>
> I don’t have push powers to the GitHub repo, only the npm package. We would need jindw to grant more people admin over the GitHub repo (or to simply hard fork the repo) in order to get an update to the npm package cleanly.
>
> > On Dec 15, 2019, at 6:22 PM, Chris Brody <xxx@xxx.xxx> wrote:
> >
> > We would like to get the xmldom package updated on npm, specifically
> > with license field fixed ref:
> >
> > * https://github.com/jindw/xmldom/issues/248
> > * https://github.com/jindw/xmldom/issues/239
> > * https://github.com/jindw/xmldom/pull/178
> > * https://github.com/apache/cordova-common/issues/122
> >
> > I am making this request according to: https://www.npmjs.com/policies/disputes
> >
> > I would be happy with one of the following outcomes:
> >
> > - existing owner publish an update
> > - give brodybits (myself) or any other Cordova committer publishing
> > rights, using the following command for example: npm owner add
> > brodybits
> >
> > Please let me know if you have any questions or concerns. I would like
> > to thank you guys on behalf of the entire user community for your
> > efforts to author, publish, and maintain this package.
> >
> > Thanks and best regards,
> >
> > Chris
> >
> > https://www.linkedin.com/in/chrisbrody/

@karfau karfau changed the title [Security] We are currently not able to publish v0.7.0 to the npm package registry [Security] We are currently not able to publish to the npm package registry Aug 8, 2021
@olzzon olzzon mentioned this issue Aug 8, 2021
Merged
@amacneil amacneil mentioned this issue Aug 9, 2021
Closed
@karfau karfau changed the title [Security] We are currently not able to publish to the npm package registry [Security] We are currently not able to publish xmldom to the npm package registry Aug 9, 2021
@karfau karfau changed the title [Security] We are currently not able to publish xmldom to the npm package registry [Security] We are currently not able to publish xmldom to the npm package registry Aug 9, 2021
@karfau
Copy link
Member Author

karfau commented Aug 9, 2021
edited
Loading

We just received an answer:

GitHub (GitHub Support)
Aug 9, 2021, 10:17 AM UTC

Hey,

sorry this is taking so long. I'll try to get you at least publish access for 'karfau' and 'brodybits' to be able to post an update today (hopefully next few hours) and will also push to get the package transferred to your org (including the xmldom-alpha so you can deprecate it).

Stefan

Update: I'm now running a script that checks npm owner ls xmldom on a regular basis and will "make some noise" when I'm listed again.
Last checked 2021-08-09T19:30:00 (will check again tomorrow)

@jeromesimeon jeromesimeon mentioned this issue Aug 9, 2021
Merged
yong-asial added a commit to monaca/monaca-cli that referenced this issue Sep 12, 2022
@yong-asial @dependabot @karfau
MN-3479: update monaca-lib and dependencies to solve security vulnera…
b2142cd 
…bilities (#185)

* chore: bump 4.2.1

* Bump shelljs from 0.8.4 to 0.8.5 (#182)

Bumps [shelljs](https://github.com/shelljs/shelljs) from 0.8.4 to 0.8.5.
- [Release notes](https://github.com/shelljs/shelljs/releases)
- [Changelog](https://github.com/shelljs/shelljs/blob/master/CHANGELOG.md)
- [Commits](shelljs/shelljs@v0.8.4...v0.8.5)

---
updated-dependencies:
- dependency-name: shelljs
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* Bump ws from 5.2.2 to 5.2.3 (#180)

Bumps [ws](https://github.com/websockets/ws) from 5.2.2 to 5.2.3.
- [Release notes](https://github.com/websockets/ws/releases)
- [Commits](websockets/ws@5.2.2...5.2.3)

---
updated-dependencies:
- dependency-name: ws
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* Bump xmldom to 0.8.0 (#181)

Switching from package `xmldom` to `@xmldom/xmldom`, which resolves the security issue present in latest xmldom version 0.6.0:
GHSA-5fg8-2547-mr8q

The reason is that the maintainers were forced to switch to a scoped package since 0.7.0:
 xmldom/xmldom#271

- I used node 12 to run `npm install`.
- I executed `npm run test` on my machine without failure

* Bump ws from 5.2.2 to 5.2.3 (#180)

Bumps [ws](https://github.com/websockets/ws) from 5.2.2 to 5.2.3.
- [Release notes](https://github.com/websockets/ws/releases)
- [Commits](websockets/ws@5.2.2...5.2.3)

---
updated-dependencies:
- dependency-name: ws
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore: update Changelog

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Christian Bewernitz <coder@karfau.de>
@karfau karfau mentioned this issue Oct 11, 2022
Closed
@karfau karfau added this to the 0.7.0 milestone Oct 25, 2022
@karfau karfau added the documentation Improvements or additions to documentation label Oct 25, 2022
@dvoegelin dvoegelin mentioned this issue Nov 1, 2022
Merged
6 tasks
@Rindiser Rindiser mentioned this issue Nov 15, 2022
Closed
@rossgp rossgp mentioned this issue Jan 30, 2023
Closed
@jmacura jmacura mentioned this issue Feb 3, 2023
Merged
@ieay4a ieay4a mentioned this issue Apr 18, 2023
Closed
@chris48s chris48s mentioned this issue Apr 19, 2023
Merged
linedotstar pushed a commit to betterup/pdfform.js that referenced this issue Aug 16, 2023
@karfau @linedotstar
Update dependency xmldom
23b9bdc 
Switching from package `xmldom` to `@xmldom/xmldom`, which resolves the security issue present in latest xmldom version 0.6.0:
GHSA-5fg8-2547-mr8q

The reason is that the maintainers were forced to switch to a scoped package since 0.7.0:
 xmldom/xmldom#271

- I used node 12 to run `npm install`.
- I executed `npm run test` on my machine without failure
- I tried to run `npm run prepublishOnly` but it failed in `make test` with one test timing out. After running `make force-install-libs` it fails in the step `make dist` (Makefile line 39), but from the error message it doesn't look like it's an issue related to this PR
- This makes phihag#35 obsolete

I'm one of the xmldom maintainers. Don't hesitate to ask me questions.

https://github.com/xmldom/xmldom/blob/master/CHANGELOG.md
@pitAlex pitAlex mentioned this issue Aug 29, 2023
Open
@sbourouis sbourouis mentioned this issue Aug 31, 2023
Open
1 task
@availity-droo availity-droo mentioned this issue Sep 20, 2023
Closed
BinToss added a commit to BinToss/AvaloniaUI.AvaloniaVSCode that referenced this issue Feb 9, 2024
@BinToss
fix(vscode-avalonia, deps, deps-dev): patch CVE-2022-39299
c13d608 
See xmldom/xmldom#271
@BinToss BinToss mentioned this issue Feb 9, 2024
Closed
BinToss added a commit to BinToss/AvaloniaUI.AvaloniaVSCode that referenced this issue Feb 9, 2024
@BinToss
fix(vscode-avalonia, deps, deps-dev): patch CVE-2022-39299
86cd78d 
See xmldom/xmldom#271

Resolves AvaloniaUI#102
BinToss added a commit to BinToss/AvaloniaUI.AvaloniaVSCode that referenced this issue Feb 9, 2024
@BinToss
fix(vscode-avalonia, deps, deps-dev): patch CVE-2022-39353
9d6ced1 
See xmldom/xmldom#271

Resolves AvaloniaUI#102
@BinToss BinToss mentioned this issue Feb 9, 2024
Merged
BinToss added a commit to BinToss/AvaloniaUI.AvaloniaVSCode that referenced this issue Feb 9, 2024
@BinToss
fix(vscode-avalonia, deps, deps-dev): patch CVE-2022-39353
f268100 
See xmldom/xmldom#271
BinToss added a commit to BinToss/AvaloniaUI.AvaloniaVSCode that referenced this issue Feb 9, 2024
@BinToss
fix(vscode-avalonia, deps, deps-dev): patch CVE-2022-39353
141655e 
See xmldom/xmldom#271
@ABHINAVKR ABHINAVKR mentioned this issue Feb 26, 2024
Closed
This was referenced Mar 20, 2024
Closed
Merged
@a3957273 a3957273 mentioned this issue Mar 29, 2024
Merged
@mark05e mark05e mentioned this issue May 20, 2024
Open
@GabsEdits GabsEdits mentioned this issue Aug 3, 2024
Merged
cheekey0x added a commit to cheekey0x/ExifReader that referenced this issue Sep 3, 2024
@cheekey0x
Move from xmldom to @xmldom/xmldom
4c4b3c8 
xmldom/xmldom#271
@phillip-le phillip-le mentioned this issue Oct 10, 2024
Closed
@mojodna mojodna mentioned this issue Feb 10, 2025
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@karfau karfau

@brody4hire brody4hire

Labels
bug Something isn't working documentation Improvements or additions to documentation Security
Projects
None yet
Milestone
0.7.0
Development

No branches or pull requests
8 participants
@joebowbeer @karfau @kachkaev @brody4hire @ryankashi @PCOffline @ku18am and others