From 3085ed9beee603cdb496fc7fb39357f15e0710d0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E0=A4=95=E0=A4=BE=E0=A4=B0=E0=A4=A4=E0=A5=8B=E0=A4=AB?= =?UTF-8?q?=E0=A5=8D=E0=A4=AB=E0=A5=87=E0=A4=B2=E0=A4=B8=E0=A5=8D=E0=A4=95?= =?UTF-8?q?=E0=A5=8D=E0=A4=B0=E0=A4=BF=E0=A4=AA=E0=A5=8D=E0=A4=9F=E2=84=A2?= Date: Tue, 11 Apr 2023 15:05:56 +0200 Subject: [PATCH] fix(core): Update xml2js to address CVE-2023-0842 (#5948) GH advisory: https://github.com/advisories/GHSA-776f-qx25-q3cc --- package.json | 1 + packages/nodes-base/package.json | 4 ++-- packages/workflow/package.json | 4 ++-- pnpm-lock.yaml | 39 ++++++++++++-------------------- 4 files changed, 19 insertions(+), 29 deletions(-) diff --git a/package.json b/package.json index cc19ec8094..36e5bc8a02 100644 --- a/package.json +++ b/package.json @@ -79,6 +79,7 @@ "tslib": "^2.5.0", "ts-node": "^10.9.1", "typescript": "^5.0.3", + "xml2js": "^0.5.0", "cpy@8>globby": "^11.1.0", "qqjs>globby": "^11.1.0" }, diff --git a/packages/nodes-base/package.json b/packages/nodes-base/package.json index e7c62ee0b9..7cb470b170 100644 --- a/packages/nodes-base/package.json +++ b/packages/nodes-base/package.json @@ -802,7 +802,7 @@ "@types/ssh2-sftp-client": "^5.1.0", "@types/tmp": "^0.2.0", "@types/uuid": "^8.3.2", - "@types/xml2js": "^0.4.3", + "@types/xml2js": "^0.4.11", "eslint-plugin-n8n-nodes-base": "^1.12.0", "gulp": "^4.0.0", "n8n-core": "workspace:*" @@ -902,6 +902,6 @@ "uuid": "^8.3.2", "vm2": "~3.9.15", "xlsx": "^0.17.0", - "xml2js": "^0.4.23" + "xml2js": "^0.5.0" } } diff --git a/packages/workflow/package.json b/packages/workflow/package.json index 81e3468d16..194d0630cb 100644 --- a/packages/workflow/package.json +++ b/packages/workflow/package.json @@ -48,7 +48,7 @@ "@types/lodash.merge": "^4.6.6", "@types/lodash.set": "^4.3.6", "@types/luxon": "^3.2.0", - "@types/xml2js": "^0.4.3" + "@types/xml2js": "^0.4.11" }, "dependencies": { "@n8n_io/riot-tmpl": "^3.0.0", @@ -66,6 +66,6 @@ "recast": "^0.21.5", "title-case": "^3.0.3", "transliteration": "^2.3.5", - "xml2js": "^0.4.23" + "xml2js": "^0.5.0" } } diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml index 9b4b5529f2..93474412c4 100644 --- a/pnpm-lock.yaml +++ b/pnpm-lock.yaml @@ -17,6 +17,7 @@ overrides: tslib: ^2.5.0 ts-node: ^10.9.1 typescript: ^5.0.3 + xml2js: ^0.5.0 cpy@8>globby: ^11.1.0 qqjs>globby: ^11.1.0 @@ -1410,8 +1411,8 @@ importers: specifier: ^0.17.0 version: 0.17.5 xml2js: - specifier: ^0.4.23 - version: 0.4.23 + specifier: ^0.5.0 + version: 0.5.0 devDependencies: '@types/amqplib': specifier: ^0.10.1 @@ -1618,7 +1619,7 @@ importers: specifier: ^8.3.2 version: 8.3.4 '@types/xml2js': - specifier: ^0.4.3 + specifier: ^0.4.11 version: 0.4.11 eslint-plugin-n8n-nodes-base: specifier: ^1.12.0 @@ -1678,8 +1679,8 @@ importers: specifier: ^2.3.5 version: 2.3.5 xml2js: - specifier: ^0.4.23 - version: 0.4.23 + specifier: ^0.5.0 + version: 0.5.0 devDependencies: '@types/crypto-js': specifier: ^4.1.1 @@ -1709,7 +1710,7 @@ importers: specifier: ^3.2.0 version: 3.2.0 '@types/xml2js': - specifier: ^0.4.3 + specifier: ^0.4.11 version: 0.4.11 packages: @@ -1861,7 +1862,7 @@ packages: tslib: 2.5.0 tunnel: 0.0.6 uuid: 8.3.2 - xml2js: 0.4.23 + xml2js: 0.5.0 transitivePeerDependencies: - encoding dev: false @@ -8251,7 +8252,7 @@ packages: url: 0.10.3 util: 0.12.4 uuid: 8.0.0 - xml2js: 0.4.19 + xml2js: 0.5.0 dev: false /aws-sign2@0.7.0: @@ -8555,7 +8556,7 @@ packages: resolution: {integrity: sha512-tWvcAbh8QPd/lj+yfGZBMY/roof/e2iSXrJbYXYjxVhHQ88D2CF3AxDTdwhb9wcNdHVNbCttaWipchJPEs5r0g==} engines: {node: '>=10'} dependencies: - xml2js: 0.4.23 + xml2js: 0.5.0 dev: false /body-parser@1.20.1: @@ -18626,7 +18627,7 @@ packages: resolution: {integrity: sha512-aqD3E8iavcCdkhVxNDIdg1nkBI17jgqF+9OqPS1orwNaOgySdpvq6B+DoONLhzjzwV8mWg37sb60e4bmLK117A==} dependencies: entities: 2.2.0 - xml2js: 0.4.23 + xml2js: 0.5.0 dev: false /run-async@2.4.1: @@ -20730,7 +20731,7 @@ packages: sqlite3: 5.1.6 tslib: 2.5.0 uuid: 9.0.0 - xml2js: 0.4.23 + xml2js: 0.5.0 yargs: 17.6.2 transitivePeerDependencies: - supports-color @@ -22145,15 +22146,8 @@ packages: engines: {node: '>=12'} dev: true - /xml2js@0.4.19: - resolution: {integrity: sha512-esZnJZJOiJR9wWKMyuvSE1y6Dq5LCuJanqhxslH2bxM6duahNZ+HMpCLhBQGZkbX6xRf8x1Y2eJlgt2q3qo49Q==} - dependencies: - sax: 1.2.4 - xmlbuilder: 9.0.7 - dev: false - - /xml2js@0.4.23: - resolution: {integrity: sha512-ySPiMjM0+pLDftHgXY4By0uswI3SPKLDw/i3UXbnO8M/p28zqexCUoPmQFrYD+/1BzhGJSs2i1ERWKJAtiLrug==} + /xml2js@0.5.0: + resolution: {integrity: sha512-drPFnkQJik/O+uPKpqSgr22mpuFHqKdbS835iAQrUC73L2F5WkboIRd63ai/2Yg6I1jzifPFKH2NTK+cfglkIA==} engines: {node: '>=4.0.0'} dependencies: sax: 1.2.4 @@ -22169,11 +22163,6 @@ packages: engines: {node: '>=4.0'} dev: false - /xmlbuilder@9.0.7: - resolution: {integrity: sha512-7YXTQc3P2l9+0rjaUbLwMKRhtmwg1M1eDf6nag7urC7pIPYLD9W/jmzQ4ptRSUbodw5S0jfoGTflLemQibSpeQ==} - engines: {node: '>=4.0'} - dev: false - /xmlchars@2.2.0: resolution: {integrity: sha512-JZnDKK8B0RCDw84FNdDAIpZK+JuJw+s7Lz8nksI7SIuU3UXJJslUthsi+uWBUYOwPFwW7W7PRLRfUKpxjtjFCw==} dev: true