Description
Overview
Unfortunately, one of the dependencies includes a vulnerable version of the xmldom package.
[email protected] requires @xmldom/[email protected]
There is an open pull request upstream to resolve the issue here: tyrasd/osmtogeojson#138
There is also an open issue referencing the CVE here: tyrasd/osmtogeojson#139
The overpassql-loader package does not use this functionality; however, any project including the loader will pull in the vulnerable code. Therefore, resolving this here is a good move.
CVE description
xmldom parses XML that is not well-formed because it contains multiple top level elements, and adds all root nodes to the childNodes collection of the Document, without reporting any error or throwing.
This breaks the assumption that there is only a single root node in the tree, which led to https://nvd.nist.gov/vuln/detail/CVE-2022-39299 and is a potential issue for dependents.
Temporary Resolution
As a temporary resolution, overpassql-loader should depend on the branch with the vulnerability removed here: https://github.com/tyrasd/osmtogeojson/tree/snyk-fix-65371a4c4920389f7e5127c141088511
Basically:
yarn add "https://github.com/tyrasd/osmtogeojson#snyk-fix-65371a4c4920389f7e5127c141088511"This serves as advice to others encountering the problem.