[Security] Bump xml2js and parse-bmfont-xml (!49) · Merge requests · tools / botbot

Dependabot requested to merge dependabot-npm_and_yarn-xml2js-and-parse-bmfont-xml-0.5.0 into master Feb 13, 2024

Bumps xml2js and parse-bmfont-xml. These dependencies needed to be updated together. Updates xml2js from 0.4.23 to 0.5.0 This update includes a security fix.

Vulnerabilities fixed

xml2js is vulnerable to prototype pollution xml2js version 0.4.23 allows an external attacker to edit or add new properties to an object. This is possible because the application does not properly validate incoming JSON keys, thus allowing the __proto__ property to be edited.

Patched versions: 0.5.0 Affected versions: <= 0.4.23; < 0.5.0

Commits

See full diff in compare view

Updates parse-bmfont-xml from 1.1.4 to 1.1.5

Commits

b70995b 1.1.5
1e5fda8 Merge pull request #4 from Siyer2/master
7866377 Update xml2js package
See full diff in compare view

Dependabot commands

You can trigger Dependabot actions by commenting on this MR

$dependabot rebase will rebase this MR
$dependabot recreate will recreate this MR rewriting all the manual changes and resolving conflicts

[Security] Bump xml2js and parse-bmfont-xml

Merge request reports