Skip to content
This repository was archived by the owner on Jan 18, 2024. It is now read-only.
This repository was archived by the owner on Jan 18, 2024. It is now read-only.

@expo/plist latest version 0.0.18 is dependent on a potential security vulnerable version of xmldom #4569

Description

@chiragsoni81245

Summary

@expo/plist version 0.0.18 package which is by default being used in expo-cli is dependent on a potential security-vulnerable version of xmldom which is "@xmldom/xmldom" "~0.7.0"

Environment

expo-env-info 1.0.5 environment info:
System:
OS: Windows 10 10.0.25217
Binaries:
Node: 16.13.2 - C:\Program Files\nodejs\node.EXE
Yarn: 1.22.19 - C:\Program Files\nodejs\yarn.CMD
npm: 8.19.1 - C:\Program Files\nodejs\npm.CMD
IDEs:
Android Studio: AI-212.5712.43.2112.8609683
npmPackages:
expo: ~45.0.0 => 45.0.6
react: 17.0.2 => 17.0.2
react-dom: 17.0.2 => 17.0.2
react-native: 0.68.2 => 0.68.2
react-native-web: 0.17.7 => 0.17.7
Expo Workflow: managed

Please specify your device/emulator/simulator platform, model and version

Android 10

Error output

No response

Reproducible demo or steps to reproduce from a blank project

We got a notification from GitHub that one of the packages which is "@xmldom/xmldom" "~0.7.0" we are using is potentially vulnerable so as we checked its being used via @expo/plist here is a patched version of @xmldom/xmldom@^0.8.3 please update dependencies for @expo/plist

Metadata

Metadata

Assignees

No one assigned

    Labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions