Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bump the version of xmldom for actions-secret-parser #102

Open
MoChilia opened this issue Feb 21, 2024 · 0 comments
Open

Bump the version of xmldom for actions-secret-parser #102

MoChilia opened this issue Feb 21, 2024 · 0 comments

Comments

@MoChilia
Copy link

xmldom<=0.6.0 allows multiple root nodes in a DOM is regarded as a critical vulnerability scanned by GitHub Dependabot.

Impact

xmldom parses XML that is not well-formed because it contains multiple top level elements, and adds all root nodes to the childNodes collection of the Document, without reporting any error or throwing.
This breaks the assumption that there is only a single root node in the tree, which led to https://nvd.nist.gov/vuln/detail/CVE-2022-39299 and is a potential issue for dependents.

Patches

Update to @xmldom/xmldom@~0.7.7, @xmldom/xmldom@~0.8.4 (dist-tag latest) or @xmldom/xmldom@>=0.9.0-beta.4 (dist-tag next).

Please bump the version of xmldom, otherwise anyone depends on actions-secret-parser will be affected by this vulnerability.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@MoChilia