Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

@xmldom/xmldom@0.7.5 vulnerable to CVE-2022-37616

See original GitHub issue

Hi! We got a warning in about a vulnerability in @xmldom/xmldom. Updating to version 0.8.3 should fix it - see also https://github.com/xmldom/xmldom/security/advisories/GHSA-9pgh-qqpf-7wqj

npm ls @xmldom/xmldom
`-- msw@0.47.4
  `-- @mswjs/interceptors@0.17.5
    `-- @xmldom/xmldom@0.7.5

See https://github.com/mswjs/interceptors/blob/v0.17.5/package.json#L71

Thank you!

Issue Analytics

State:
Created a year ago
Reactions:1
Comments:6 (3 by maintainers)

Top GitHub Comments

4reactions

joshkelcommented, Oct 19, 2022

@scottdickerson , the fix was released as part of the @mswjs/interceptors package; msw itself wasn’t affected.

Getting the new version of a transitive dependency like @mswjs/interceptors depends on your package manager. (For Yarn, I can manually edit yarn.lock, remove the @mswjs/interceptors block, then rerun yarn). Or it should work to uninstall (if needed) and reinstall msw (similar to what @kettanaito mentioned).

3reactions

kettanaitocommented, Oct 12, 2022

I’ve merged the dependabot’s pull request. That should trigger the build and release, and since it’s a patch version bump you will get it to your machines by re-installing msw.