Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Vulnerability in @xmldom/xmldom 0.8.3 #139

Open
kachkaev opened this issue Nov 6, 2022 · 4 comments
Open

Vulnerability in @xmldom/xmldom 0.8.3 #139

kachkaev opened this issue Nov 6, 2022 · 4 comments

Comments

@kachkaev
Copy link

kachkaev commented Nov 6, 2022
edited
Loading

👋 @tyrasd! It’d be great to see this dependency upgraded, currently seeing:

yarn npm audit
└─ @xmldom/xmldom: 0.8.3
   ├─ Issue: xmldom allows multiple root nodes in a DOM
   ├─ URL: https://github.com/advisories/GHSA-crh6-fp67-6883
   ├─ Severity: critical
   ├─ Vulnerable Versions: >=0.8.0 <0.8.4
   ├─ Patched Versions: >=0.8.4
   ├─ Via: @xmldom/xmldom
   └─ Recommendation: Upgrade to version 0.8.4 or later

yarn why @xmldom/xmldom
├─ osmtogeojson@npm:3.0.0-beta.5
│  └─ @xmldom/xmldom@npm:0.8.3 (via npm:0.8.3)
│
└─ root-workspace-0b6124@workspace:.
   └─ @xmldom/xmldom@npm:0.8.6 (via npm:^0.8.6)

yarn why osmtogeojson
└─ root-workspace-0b6124@workspace:.
   └─ osmtogeojson@npm:3.0.0-beta.5 (via npm:^3.0.0-beta.5)

This issue is fixable by #138, but you can bump min version further (0.8.4 → 0.8.6 at the time of writing).
@kachkaev kachkaev changed the title Vulnerability in @xmldom/xmldom Vulnerability in @xmldom/xmldom 0.8.3 Nov 6, 2022
kachkaev added a commit to kachkaev/tooling-for-how-old-is-this-house that referenced this issue Nov 6, 2022
@kachkaev
Update vulnerable @xmldom/xmldom package
67f0eaa 
Using resolutions because of tyrasd/osmtogeojson#139
@yuiseki
Copy link

yuiseki commented Jan 14, 2023

Hi, Thanks for developing such great software, @tyrasd !
And thanks for suggesting the Issue related xmldom then create Pull request fix that, @kachkaev !

Please allow me to share with you a link to the GitHub Advisory on xmldom:
GHSA-crh6-fp67-6883

GitHub Advisory marked severity of this vulnerability is Critical,
Therefore, we are very sorry for the trouble, but please do this dependency update 🙏

@johnlettman
Copy link

Hello everyone!
I want to reach out and mention that I appreciate the existence of this project. Thank you @tyrasd! It's helped me write a tiny webpack loader for Overpass API queries.

As mentioned in previous comments, the @xmldom/xmldom dependency appears to be pinned to the vulnerable version. In PR #138 the comment referencing a minimum version rather than a version pin could alleviate the vulnerability pretty succinctly: #138 (comment)

Though my project never uses the XML portion of osmtogeojson, I imagine others may have the alert, with their projects remaining vulnerable. Please consider merging; I would happily lend a hand in testing for any regressions.

Cheers! :)

This was referenced Jul 29, 2023
Open
Closed
@johnlettman
Copy link

Hello friends,

I would like to share the temporary workaround I've used in my package here:
johnlettman/overpassql-loader#6
johnlettman/overpassql-loader@ead1f13

It involves using the Snyk PR to resolve the CVE: #138

Essentially, you can change your dependency from NPM to the GitHub repository with the branch Snyk is making the PR from (https://github.com/tyrasd/osmtogeojson/tree/snyk-fix-65371a4c4920389f7e5127c141088511)

Just run:

yarn add "https://github.com/tyrasd/osmtogeojson#snyk-fix-65371a4c4920389f7e5127c141088511"

@kachkaev
Copy link
Author

kachkaev commented Dec 6, 2023

@tyrasd 🙏

mvl22 added a commit to cyclestreets/bikedata that referenced this issue May 17, 2024
@mvl22
Upgrade osmtogeojson with package for xmldom dependency
bdb83d5 
See: tyrasd/osmtogeojson#139
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@yuiseki @kachkaev @johnlettman