Security Issue

[allanice001]

Issues with no direct upgrade or patch:
✗ XML External Entity (XXE) Injection [Medium Severity][https://snyk.io/vuln/SNYK-JS-XMLDOM-1084960] in xmldom@0.1.31
introduced by passport-twitter@1.0.4 > xtraverse@0.1.0 > xmldom@0.1.31
This issue was fixed in versions: 0.5.0

Any chance of upgrading the xmldom dependency?

[hthetiot]

The fix need to append on xtraverse first, see PR:
jaredhanson/node-xtraverse#1

[dmitrizzle]

The fix need to append on xtraverse first, see PR:
jaredhanson/node-xtraverse#1

This lib looks to have last been updated 8 years ago. Perhaps it needs to be forked, or is there any other way to fix this issue here?

[allanice001]

I've done the needful - https://www.npmjs.com/package/xtraverse1

[hthetiot]

Thank you @allanice001

[julianlam]

@jaredhanson I know you're around now, you committed to this repo yesterday 😸

Can you merge jaredhanson/node-xtraverse#1 now? 🙏

[arnauddsj]

Hello, any news on this matter? I implemented "passport-twitter": "^1.0.4", today and discover that it Depends on vulnerable versions of xmldom. Is it a package people use in production or is there another package somewhere to be used? Thanks!

[hthetiot]

Hello, any news on this matter? I implemented "passport-twitter": "^1.0.4", today and discover that it Depends on vulnerable versions of xmldom. Is it a package people use in production or is there another package somewhere to be used? Thanks!

If you take the time to understand the previous comments in this issue you should understand that the fix is in the way. And asking for an alternative package instead of helping the maintainer to update is not the right way to help an open source librairie in my POV. So be patiente is the best course of action if you are not knowledgeable .

[allanice001]

I love OSS, but this issue has been going on for over 6 months, without the current maintainer @jaredhanson taking note of this issue., so in all respect @hthetiot - please advise an alternative - the PRs are done, and unless there are more maintainers to the package, there really is no way forward.

[Martii]

Ref:

• Switch to @xmldom/xmldom to address security advisories node-xtraverse#2

[it-smtech]

Any updates on this issue please ?

[allanice001]

I've done the needful - https://www.npmjs.com/package/xtraverse1

still no feedback from the original maintainer @jaredhanson

[Dylankjy]

Good day, is there an alternative package to use? Seems that the maintainer is unresponsive for a very long time.

[allanice001]

Alright everyone,
I've cloned the two repositories and started their own lifecycle at passportjs
I've also created a npm org @passport-js

Right now, you're more than welcome to look at using @passport-js/passport-twitter as a replacement dependency, which consumes the patched traverse package - @passport-js/xtraverse

[julianlam]

@allanice001 are you part of the passport.js organization?