@xmldom/xmldom@0.7.5 vulnerable to CVE-2022-37616
See original GitHub issueHi!
We got a warning in about a vulnerability in @xmldom/xmldom
.
Updating to version 0.8.3
should fix it - see also https://github.com/xmldom/xmldom/security/advisories/GHSA-9pgh-qqpf-7wqj
npm ls @xmldom/xmldom
`-- msw@0.47.4
`-- @mswjs/interceptors@0.17.5
`-- @xmldom/xmldom@0.7.5
See https://github.com/mswjs/interceptors/blob/v0.17.5/package.json#L71
Thank you!
Issue Analytics
- State:
- Created a year ago
- Reactions:1
- Comments:6 (3 by maintainers)
Top Results From Across the Web
CVE-2022-37616 Detail - NVD
** DISPUTED ** A prototype pollution vulnerability exists in the function copy in dom.js in the xmldom (published as @xmldom/xmldom) package ...
Read more >Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start FreeTop Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
Top GitHub Comments
@scottdickerson , the fix was released as part of the @mswjs/interceptors package; msw itself wasn’t affected.
Getting the new version of a transitive dependency like @mswjs/interceptors depends on your package manager. (For Yarn, I can manually edit yarn.lock, remove the
@mswjs/interceptors
block, then rerunyarn
). Or it should work to uninstall (if needed) and reinstallmsw
(similar to what @kettanaito mentioned).I’ve merged the dependabot’s pull request. That should trigger the build and release, and since it’s a patch version bump you will get it to your machines by re-installing
msw
.