Hi! Thanks for maintaining kdbxweb.
We’re seeing a security issue in the latest npm release and wanted to report it:
- Current npm release: kdbxweb@2.1.1
- 2.1.1 depends on @xmldom/xmldom@^0.7.4
- That resolves to @xmldom/xmldom@0.7.13 in our lockfile
- @xmldom/xmldom < 0.8.12 is affected by GHSA-wh4c-j3r5-mjhp (high severity)
It looks like the repo’s current master already uses a safer range (@xmldom/xmldom ^0.8.10), but that change is not available in an npm release yet.
Could you publish a new npm version including the xmldom dependency update?
That would let downstream users clear the high-severity audit finding without using overrides or git-based dependency pins.
Thanks again for your work!
Hi! Thanks for maintaining kdbxweb.
We’re seeing a security issue in the latest npm release and wanted to report it:
It looks like the repo’s current master already uses a safer range (@xmldom/xmldom ^0.8.10), but that change is not available in an npm release yet.
Could you publish a new npm version including the xmldom dependency update?
That would let downstream users clear the high-severity audit finding without using overrides or git-based dependency pins.
Thanks again for your work!