From e903d6107112fca64b54dec76019720c9df6a66a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E0=A4=95=E0=A4=BE=E0=A4=B0=E0=A4=A4=E0=A5=8B=E0=A4=AB?= =?UTF-8?q?=E0=A5=8D=E0=A4=AB=E0=A5=87=E0=A4=B2=E0=A4=B8=E0=A5=8D=E0=A4=95?= =?UTF-8?q?=E0=A5=8D=E0=A4=B0=E0=A4=BF=E0=A4=AA=E0=A5=8D=E0=A4=9F=E2=84=A2?= Date: Tue, 11 Apr 2023 15:05:56 +0200 Subject: [PATCH] fix(core): Update xml2js to address CVE-2023-0842 (#5948) GH advisory: https://github.com/advisories/GHSA-776f-qx25-q3cc --- package.json | 1 + packages/nodes-base/package.json | 4 ++-- packages/workflow/package.json | 4 ++-- pnpm-lock.yaml | 39 ++++++++++++-------------------- 4 files changed, 19 insertions(+), 29 deletions(-) diff --git a/package.json b/package.json index c906b2f5fec16..32789f54e0274 100644 --- a/package.json +++ b/package.json @@ -77,6 +77,7 @@ "prettier": "^2.8.3", "ts-node": "^10.9.1", "typescript": "^4.9.5", + "xml2js": "^0.5.0", "cpy@8>globby": "^11.1.0", "qqjs>globby": "^11.1.0" }, diff --git a/packages/nodes-base/package.json b/packages/nodes-base/package.json index 8cb260aa39089..645ff89e62d07 100644 --- a/packages/nodes-base/package.json +++ b/packages/nodes-base/package.json @@ -800,7 +800,7 @@ "@types/ssh2-sftp-client": "^5.1.0", "@types/tmp": "^0.2.0", "@types/uuid": "^8.3.2", - "@types/xml2js": "^0.4.3", + "@types/xml2js": "^0.4.11", "eslint-plugin-n8n-nodes-base": "^1.12.0", "gulp": "^4.0.0", "n8n-core": "workspace:*" @@ -899,6 +899,6 @@ "uuid": "^8.3.2", "vm2": "~3.9.15", "xlsx": "^0.17.0", - "xml2js": "^0.4.23" + "xml2js": "^0.5.0" } } diff --git a/packages/workflow/package.json b/packages/workflow/package.json index aae671e7f8d5d..2d2e1875e03a4 100644 --- a/packages/workflow/package.json +++ b/packages/workflow/package.json @@ -48,7 +48,7 @@ "@types/lodash.merge": "^4.6.6", "@types/lodash.set": "^4.3.6", "@types/luxon": "^3.2.0", - "@types/xml2js": "^0.4.3" + "@types/xml2js": "^0.4.11" }, "dependencies": { "@n8n_io/riot-tmpl": "^3.0.0", @@ -66,6 +66,6 @@ "recast": "^0.21.5", "title-case": "^3.0.3", "transliteration": "^2.3.5", - "xml2js": "^0.4.23" + "xml2js": "^0.5.0" } } diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml index 6a1fe2213d8b9..8938da7cef0b3 100644 --- a/pnpm-lock.yaml +++ b/pnpm-lock.yaml @@ -16,6 +16,7 @@ overrides: prettier: ^2.8.3 ts-node: ^10.9.1 typescript: ^4.9.5 + xml2js: ^0.5.0 cpy@8>globby: ^11.1.0 qqjs>globby: ^11.1.0 @@ -840,7 +841,7 @@ importers: '@types/ssh2-sftp-client': ^5.1.0 '@types/tmp': ^0.2.0 '@types/uuid': ^8.3.2 - '@types/xml2js': ^0.4.3 + '@types/xml2js': ^0.4.11 amqplib: ^0.10.3 aws4: ^1.8.0 basic-auth: ^2.0.1 @@ -936,7 +937,7 @@ importers: uuid: ^8.3.2 vm2: ~3.9.15 xlsx: ^0.17.0 - xml2js: ^0.4.23 + xml2js: ^0.5.0 dependencies: '@kafkajs/confluent-schema-registry': 1.0.6 amqplib: 0.10.3 @@ -1031,7 +1032,7 @@ importers: uuid: 8.3.2 vm2: 3.9.16 xlsx: 0.17.5 - xml2js: 0.4.23 + xml2js: 0.5.0 devDependencies: '@types/amqplib': 0.10.1 '@types/aws4': 1.11.2 @@ -1118,7 +1119,7 @@ importers: '@types/lodash.merge': ^4.6.6 '@types/lodash.set': ^4.3.6 '@types/luxon': ^3.2.0 - '@types/xml2js': ^0.4.3 + '@types/xml2js': ^0.4.11 ast-types: 0.15.2 crypto-js: ^4.1.1 deep-equal: ^2.2.0 @@ -1133,7 +1134,7 @@ importers: recast: ^0.21.5 title-case: ^3.0.3 transliteration: ^2.3.5 - xml2js: ^0.4.23 + xml2js: ^0.5.0 dependencies: '@n8n_io/riot-tmpl': 3.0.0 ast-types: 0.15.2 @@ -1150,7 +1151,7 @@ importers: recast: 0.21.5 title-case: 3.0.3 transliteration: 2.3.5 - xml2js: 0.4.23 + xml2js: 0.5.0 devDependencies: '@types/crypto-js': 4.1.1 '@types/deep-equal': 1.0.1 @@ -1312,7 +1313,7 @@ packages: tslib: 2.5.0 tunnel: 0.0.6 uuid: 8.3.2 - xml2js: 0.4.23 + xml2js: 0.5.0 transitivePeerDependencies: - encoding dev: false @@ -7704,7 +7705,7 @@ packages: url: 0.10.3 util: 0.12.4 uuid: 8.0.0 - xml2js: 0.4.19 + xml2js: 0.5.0 dev: false /aws-sign2/0.7.0: @@ -8035,7 +8036,7 @@ packages: resolution: {integrity: sha512-tWvcAbh8QPd/lj+yfGZBMY/roof/e2iSXrJbYXYjxVhHQ88D2CF3AxDTdwhb9wcNdHVNbCttaWipchJPEs5r0g==} engines: {node: '>=10'} dependencies: - xml2js: 0.4.23 + xml2js: 0.5.0 dev: false /body-parser/1.20.1: @@ -18192,7 +18193,7 @@ packages: resolution: {integrity: sha512-aqD3E8iavcCdkhVxNDIdg1nkBI17jgqF+9OqPS1orwNaOgySdpvq6B+DoONLhzjzwV8mWg37sb60e4bmLK117A==} dependencies: entities: 2.2.0 - xml2js: 0.4.23 + xml2js: 0.5.0 dev: false /run-async/2.4.1: @@ -20329,7 +20330,7 @@ packages: sqlite3: 5.1.6 tslib: 2.5.0 uuid: 9.0.0 - xml2js: 0.4.23 + xml2js: 0.5.0 yargs: 17.6.2 transitivePeerDependencies: - supports-color @@ -21895,15 +21896,8 @@ packages: resolution: {integrity: sha512-huCv9IH9Tcf95zuYCsQraZtWnJvBtLVE0QHMOs8bWyZAFZNDcYjsPq1nEx8jKA9y+Beo9v+7OBPRisQTjinQMw==} dev: false - /xml2js/0.4.19: - resolution: {integrity: sha512-esZnJZJOiJR9wWKMyuvSE1y6Dq5LCuJanqhxslH2bxM6duahNZ+HMpCLhBQGZkbX6xRf8x1Y2eJlgt2q3qo49Q==} - dependencies: - sax: 1.2.4 - xmlbuilder: 9.0.7 - dev: false - - /xml2js/0.4.23: - resolution: {integrity: sha512-ySPiMjM0+pLDftHgXY4By0uswI3SPKLDw/i3UXbnO8M/p28zqexCUoPmQFrYD+/1BzhGJSs2i1ERWKJAtiLrug==} + /xml2js/0.5.0: + resolution: {integrity: sha512-drPFnkQJik/O+uPKpqSgr22mpuFHqKdbS835iAQrUC73L2F5WkboIRd63ai/2Yg6I1jzifPFKH2NTK+cfglkIA==} engines: {node: '>=4.0.0'} dependencies: sax: 1.2.4 @@ -21915,11 +21909,6 @@ packages: engines: {node: '>=4.0'} dev: false - /xmlbuilder/9.0.7: - resolution: {integrity: sha512-7YXTQc3P2l9+0rjaUbLwMKRhtmwg1M1eDf6nag7urC7pIPYLD9W/jmzQ4ptRSUbodw5S0jfoGTflLemQibSpeQ==} - engines: {node: '>=4.0'} - dev: false - /xmlchars/2.2.0: resolution: {integrity: sha512-JZnDKK8B0RCDw84FNdDAIpZK+JuJw+s7Lz8nksI7SIuU3UXJJslUthsi+uWBUYOwPFwW7W7PRLRfUKpxjtjFCw==} dev: true