Skip to content

High Severity vulnerability GHSA-wh4c-j3r5-mjhp #61

Description

@chickahoona

Hi! Thanks for maintaining kdbxweb.

We’re seeing a security issue in the latest npm release and wanted to report it:

  • Current npm release: kdbxweb@2.1.1
  • 2.1.1 depends on @xmldom/xmldom@^0.7.4
  • That resolves to @xmldom/xmldom@0.7.13 in our lockfile
  • @xmldom/xmldom < 0.8.12 is affected by GHSA-wh4c-j3r5-mjhp (high severity)

It looks like the repo’s current master already uses a safer range (@xmldom/xmldom ^0.8.10), but that change is not available in an npm release yet.

Could you publish a new npm version including the xmldom dependency update?

That would let downstream users clear the high-severity audit finding without using overrides or git-based dependency pins.

Thanks again for your work!

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions