trapeze icon indicating copy to clipboard operation
trapeze copied to clipboard
verified publisher icon ionic-team

Security Issues on Dependency xmldom 0.7.5

Open PacoRivera13 opened this issue 3 years ago • 1 comments

Hi,

I'm using this version on my ionic project: "@trapezedev/configure": "3.0.6",

This has installed a dependency for xmldom 0.7.5, this version requires an updated to fix a security issue listed below https://www.tenable.com/cve/CVE-2022-37616 Is required to upgrade to version 0.8.3

When could you schedule this upgrade on your package's dependency?

PacoRivera13 avatar Oct 13 '22 14:10 PacoRivera13

Reverted the change for now as it broke their API. Will need to investigate later https://github.com/ionic-team/trapeze/actions/runs/3250541946/jobs/5334353927

mlynch avatar Oct 14 '22 14:10 mlynch

Reverted the change for now as it broke their API. Will need to investigate later https://github.com/ionic-team/trapeze/actions/runs/3250541946/jobs/5334353927

@mlynch Any update on this issue?

PacoRivera13 avatar Nov 09 '22 16:11 PacoRivera13

Not sure what's going on but they seem to be retracting their CVE

https://www.tenable.com/cve/CVE-2022-37616

image

mlynch avatar Nov 15 '22 14:11 mlynch

Closing as invalid per discussion here https://github.com/xmldom/xmldom/issues/436

mlynch avatar Nov 22 '22 14:11 mlynch

@mlynch The dispute was reported, however the vulnerability was later reconfirmed as discussed in the same thread you shared: https://github.com/xmldom/xmldom/issues/436 This is still an issue.

joshuah459 avatar Oct 02 '23 16:10 joshuah459