[Security] Bump xml2js from 0.4.23 to 0.5.0 (!80) · Merge requests · games / onder-ons

Dependabot requested to merge dependabot-npm_and_yarn-xml2js-0.5.0 into master Apr 09, 2023

Bumps xml2js from 0.4.23 to 0.5.0. This update includes a security fix.

Vulnerabilities fixed

xml2js is vulnerable to prototype pollution xml2js version 0.4.23 allows an external attacker to edit or add new properties to an object. This is possible because the application does not properly validate incoming JSON keys, thus allowing the __proto__ property to be edited.

Patched versions: none Affected versions: <= 0.4.23

Commits

See full diff in compare view

Dependabot commands

You can trigger Dependabot actions by commenting on this MR

$dependabot rebase will rebase this MR
$dependabot recreate will recreate this MR rewriting all the manual changes and resolving conflicts

[Security] Bump xml2js from 0.4.23 to 0.5.0

Merge request reports