webfont icon indicating copy to clipboard operation
webfont copied to clipboard
verified publisher icon itgalaxy

Auditing webfont reveals moderate vulnerability in xmldom

Open PrashantChittiZS opened this issue 4 years ago • 6 comments

Running npm audit while using webfont v11.2.20, reveals a vulnerability in xmldom which is moderate in serverity.

image

PrashantChittiZS avatar Aug 05 '21 10:08 PrashantChittiZS

@PrashantChittiZS thanks for reporting that. What version of webfont are you using?

jimmyandrade avatar Aug 05 '21 16:08 jimmyandrade

@PrashantChittiZS thanks for reporting that. What version of webfont are you using?

11.2.20

PrashantChittiZS avatar Aug 05 '21 16:08 PrashantChittiZS

@PrashantChittiZS thanks. Unfortunately, our library depends on a vulnerable version of the svg2ttf package which, in turn, has this security problem by using an insecure version of xmldom.

On my side, I can't solve this as long as xmldom and svg2ttf library doesn't solve this problem on the other side. I'm sorry :(

jimmyandrade avatar Aug 07 '21 00:08 jimmyandrade

@jimmyandrade thanks for the quick turn around, I have raised an issue regarding the same on svg2ttf. Will you be releasing a newer version of webfont, as and when svg2ttf fixes the issue on their end?

PrashantChittiZS avatar Aug 09 '21 07:08 PrashantChittiZS

Will you be releasing a newer version of webfont, as and when svg2ttf fixes the issue on their end?

@PrashantChittiZS yes, I will :)

jimmyandrade avatar Aug 10 '21 16:08 jimmyandrade

Looks like this is fixed, sometime between 11.2.20 and 11.2.26. I think you can close the ticket.

wkeese avatar Feb 02 '22 15:02 wkeese