[Snyk] Upgrade @xmldom/xmldom from 0.7.9 to 0.8.6 #1

snyk-bot · 2023-04-09T00:51:30Z

Snyk has created this PR to upgrade @xmldom/xmldom from 0.7.9 to 0.8.6.

ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.

The recommended version is 8 versions ahead of your current version.
The recommended version was released 5 months ago, on 2022-11-05.

Release notes

Package name: @xmldom/xmldom

0.8.6 - 2022-11-05
Commits

Fixed
- Properly check nodes before replacement #457 / #455 / #456
Thank you, @ edemaine, @ pedro-l9, for your contributions
0.8.5 - 2022-10-31
Commits

Fixed
- fix: Restore ES5 compatibility #452 / #453
Thank you, @ fengxinming, for your contributions
0.8.4 - 2022-10-29
Commits

Fixed
- Security: Prevent inserting DOM nodes when they are not well-formed CVE-2022-39353
  In case such a DOM would be created, the part that is not well-formed will be transformed into text nodes, in which xml specific characters like < and > are encoded accordingly.
  In the upcoming version 0.9.0 those text nodes will no longer be added and an error will be thrown instead.
  This change can break your code, if you relied on this behavior, e.g. multiple root elements in the past. We consider it more important to align with the specs that we want to be aligned with, considering the potential security issues that might derive from people not being aware of the difference in behavior.
  Related Spec: https://dom.spec.whatwg.org/#concept-node-ensure-pre-insertion-validity
Thank you, @ frumioj, @ cjbarth, @ markgollnick for your contributions
0.8.3 - 2022-10-11
0.8.2 - 2022-04-05
0.8.1 - 2022-02-14
0.8.0 - 2021-12-22
0.7.10 - 2023-03-31
commits

Fixed
- properly parse closing where the last attribute has no value #485 / #486
Thank you, @ bulandent, for your contributions
0.7.9 - 2022-11-05
Commits

Fixed
- Properly check nodes before replacement #457 / #455 / #456
Thank you, @ edemaine, @ pedro-l9, for your contributions

from @xmldom/xmldom GitHub release notes

Commit messages

Package name: @xmldom/xmldom

238b1ea 0.8.6
b6ad6e9 fix: Properly check nodes before replacement (#457)
d7cfa2b chore: Preconfigure branch and version in release script
afc57ec 0.8.5
1ab76c0 style: Apply prettier to tests
2debbf3 fix: Restore ES5 compatibility (#452)
27fec1f 0.8.4
a14687a docs: Prepare CHANGELOG for 0.8.4
7ff7c10 Merge pull request from GHSA-crh6-fp67-6883
c9df7a2 0.8.3
1c57b5e docs: Prepare CHANGELOG for 0.8.3
7c0d4b7 fix: Avoid iterating over prototype properties
a701915 chore(deps): update dependency eslint to v8.25.0 (#433)
2aef5ef chore(deps): update actions/setup-node action to v3 (#431)
0842586 chore(deps): update dependency eslint-plugin-prettier to v4.2.1 (#418)
8f1ee5e chore(deps): update dependency eslint to v8.24.0 (#430)
8a34f29 chore(deps): update dependency nodemon to v2.0.20 (#429)
ac8012f chore(deps): update dependency eslint to v8.23.1 (#419)
7efca8c chore(deps): update dependency nodemon to v2.0.19 (#420)
5eb649e chore(deps): update dependency eslint to v8.18.0 (#414)
dfe41f3 chore(deps): update dependency np to v7.6.2 (#415)
d9b9928 chore(deps): update dependency prettier to v2.7.1 (#413)
e5f58fe chore(deps): update dependency nodemon to v2.0.18 (#417)
45c8830 chore(deps): update dependency eslint to v8.17.0 (#408)

Compare

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open upgrade PRs.

For more information:

🧐 View latest project report

🛠 Adjust upgrade PR settings

🔕 Ignore this dependency or unsubscribe from future upgrade PRs

Snyk has created this PR to upgrade @xmldom/xmldom from 0.7.9 to 0.8.6. See this package in npm: https://www.npmjs.com/package/@xmldom/xmldom See this project in Snyk: https://app.snyk.io/org/jerk400/project/30dcbbc9-093b-4711-ace3-bdfebdfca6b6?utm_source=github&utm_medium=referral&page=upgrade-pr

socket-security · 2023-04-09T00:53:02Z

New dependency changes detected. Learn more about Socket for GitHub ↗︎

🚨 Potential security issues found in this pull request. To accept the risk, merge this PR and you will not be notified again.

Bot Commands

To ignore an alert, reply with a comment starting with @SocketSecurity ignore followed by a space separated list of package-name@version specifiers. e.g. @SocketSecurity ignore foo@1.0.0 bar@* or ignore all packages with @SocketSecurity ignore-all

@SocketSecurity ignore browserify-aes@1.2.0
@SocketSecurity ignore create-hash@1.2.0
@SocketSecurity ignore create-hmac@1.1.7
@SocketSecurity ignore heimdalljs@0.2.6
@SocketSecurity ignore minimalistic-assert@1.0.1
@SocketSecurity ignore parse-asn1@5.1.6
@SocketSecurity ignore process-nextick-args@2.0.1
@SocketSecurity ignore randombytes@2.1.0
@SocketSecurity ignore randomfill@1.0.4
@SocketSecurity ignore react-transition-group@4.4.5
@SocketSecurity ignore @xmldom/xmldom@0.8.6

⚠️ No contributors or author data

Package does not specify a list of contributors or an author in package.json.

Add a author field or contributors array to package.json.

Package	Location	Source
browserify-aes@1.2.0 (added)	package.json	`package-lock.json` via grunt-browserify@6.0.0
create-hash@1.2.0 (added)	package.json	`package-lock.json` via grunt-browserify@6.0.0
create-hmac@1.1.7 (added)	package.json	`package-lock.json` via grunt-browserify@6.0.0
heimdalljs@0.2.6 (added)	package.json	`package-lock.json` via i18next-parser@6.6.0
minimalistic-assert@1.0.1 (added)	package.json	`package-lock.json` via grunt-browserify@6.0.0, openpgp@5.2.1
parse-asn1@5.1.6 (added)	package.json	`package-lock.json` via grunt-browserify@6.0.0
process-nextick-args@2.0.1 (added)	package.json	`package-lock.json` via crx@5.0.1, grunt-browserify@6.0.0, i18next-parser@6.6.0, web-ext@7.5.0
randombytes@2.1.0 (added)	package.json	`package-lock.json` via babel-loader@8.3.0, grunt-browserify@6.0.0, webpack@5.76.1, webpack-cli@4.10.0
randomfill@1.0.4 (added)	package.json	`package-lock.json` via grunt-browserify@6.0.0
react-transition-group@4.4.5 (added)	package.json	`package-lock.json` via passbolt-styleguide@3.12.1

⚠️ Chronological version anomaly

Semantic versions published out of chronological order.

This could either indicate dependency confusion or a patched vulnerability.

Package	Previous Chronological	Previous Semver	Source
@xmldom/xmldom@0.8.6 (upgraded)	@xmldom/xmldom@0.9.0-beta.6 (11/3/2022, 8:00:45 AM)	@xmldom/xmldom@0.8.5 (10/31/2022, 8:56:40 AM)	`package-lock.json`, `package.json`

Pull request alert summary

Issue	Status
Critical CVE	✅ 0 issues
CVE	✅ 0 issues
Mild CVE	✅ 0 issues
Install scripts	✅ 0 issues
Native code	✅ 0 issues
Bin script confusion	✅ 0 issues
Bin script shell injection	✅ 0 issues
Filesystem access	✅ 0 issues
Network access	✅ 0 issues
Shell access	✅ 0 issues
Debug access	✅ 0 issues
Long strings	✅ 0 issues
High entropy strings	✅ 0 issues
URL strings	✅ 0 issues
Uses eval	✅ 0 issues
Dynamic require	✅ 0 issues
Environment variable access	✅ 0 issues
Missing dependency	✅ 0 issues
Unused dependency	✅ 0 issues
Peer dependency	✅ 0 issues
Uncaught optional dependency	✅ 0 issues
Unresolved require	✅ 0 issues
Extraneous dependency	✅ 0 issues
Obfuscated require	✅ 0 issues
Obfuscated code	✅ 0 issues
Minified code	✅ 0 issues
Bidirectional unicode control characters	✅ 0 issues
Zero width unicode chars	✅ 0 issues
Bad text encoding	✅ 0 issues
Unicode homoglyphs	✅ 0 issues
Invisible chars	✅ 0 issues
Suspicious strings	✅ 0 issues
Invalid package.json	✅ 0 issues
HTTP dependency	✅ 0 issues
Git dependency	✅ 0 issues
GitHub dependency	✅ 0 issues
File dependency	✅ 0 issues
No tests	✅ 0 issues
No repository	✅ 0 issues
Bad semver	✅ 0 issues
Bad dependency semver	✅ 0 issues
No v1	✅ 0 issues
No website	✅ 0 issues
No bug tracker	✅ 0 issues
No contributors or author data	⚠️ 10 issues
CommonJS depending on ESModule	✅ 0 issues
Empty package	✅ 0 issues
Trivial Package	✅ 0 issues
No README	✅ 0 issues
Deprecated	✅ 0 issues
Chronological version anomaly	⚠️ 1 issue
Semver anomaly	✅ 0 issues
New author	✅ 0 issues
Unstable ownership	✅ 0 issues
Non-existent author	✅ 0 issues
Unmaintained	✅ 0 issues
Unpublished package	✅ 0 issues
Major refactor	✅ 0 issues
Missing package tarball	✅ 0 issues
Unsafe copyright	✅ 0 issues
License change	✅ 0 issues
Non OSI license	✅ 0 issues
Deprecated license	✅ 0 issues
Missing license	✅ 0 issues
Non SPDX license	✅ 0 issues
Unclear license	✅ 0 issues
Mixed license	✅ 0 issues
Legal notice	✅ 0 issues
Modified license	✅ 0 issues
Modified license exception	✅ 0 issues
License exception	✅ 0 issues
Deprecated SPDX exception	✅ 0 issues
Potential typo squat	✅ 0 issues
Known Malware	✅ 0 issues
Telemetry	✅ 0 issues
Protestware/Troll package	✅ 0 issues

📊 Modified Dependency Overview:

⬆️ Updated Package	Version Diff	Added Capability Access	`+/-` Transitive Count	Publisher
@xmldom/xmldom@0.8.6	0.7.9...0.8.6	None	`+0/-0`	karfau

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[Snyk] Upgrade @xmldom/xmldom from 0.7.9 to 0.8.6 #1

[Snyk] Upgrade @xmldom/xmldom from 0.7.9 to 0.8.6 #1

snyk-bot commented Apr 9, 2023

Fixed

Fixed

Fixed

Fixed

Fixed

socket-security bot commented Apr 9, 2023

[Snyk] Upgrade @xmldom/xmldom from 0.7.9 to 0.8.6 #1

Are you sure you want to change the base?

[Snyk] Upgrade @xmldom/xmldom from 0.7.9 to 0.8.6 #1

Conversation

snyk-bot commented Apr 9, 2023

Snyk has created this PR to upgrade @xmldom/xmldom from 0.7.9 to 0.8.6.

Fixed

Fixed

Fixed

Fixed

Fixed

socket-security bot commented Apr 9, 2023