Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Auditing webfont reveals moderate vulnerability in xmldom #482

Open
PrashantChittiZS opened this issue Aug 5, 2021 · 6 comments
Open

Auditing webfont reveals moderate vulnerability in xmldom #482

PrashantChittiZS opened this issue Aug 5, 2021 · 6 comments
Assignees
@jimmyandrade
Labels
bug dependencies Pull requests that update a dependency file security
Projects
webfont bug triage

Comments

@PrashantChittiZS
Copy link

Running npm audit while using webfont v11.2.20, reveals a vulnerability in xmldom which is moderate in serverity.

image
@jimmyandrade
Copy link
Collaborator

@PrashantChittiZS thanks for reporting that. What version of webfont are you using?

@jimmyandrade jimmyandrade added this to Needs triage in webfont bug triage via automation Aug 5, 2021
@jimmyandrade jimmyandrade added dependencies Pull requests that update a dependency file security bug labels Aug 5, 2021
@jimmyandrade jimmyandrade self-assigned this Aug 5, 2021
@PrashantChittiZS
Copy link
Author

@PrashantChittiZS thanks for reporting that. What version of webfont are you using?

11.2.20

@jimmyandrade
Copy link
Collaborator

jimmyandrade commented Aug 7, 2021
edited

@PrashantChittiZS thanks. Unfortunately, our library depends on a vulnerable version of the svg2ttf package which, in turn, has this security problem by using an insecure version of xmldom.

On my side, I can't solve this as long as xmldom and svg2ttf library doesn't solve this problem on the other side.
I'm sorry :(

@PrashantChittiZS
Copy link
Author

PrashantChittiZS commented Aug 9, 2021
edited

@jimmyandrade thanks for the quick turn around, I have raised an issue regarding the same on svg2ttf. Will you be releasing a newer version of webfont, as and when svg2ttf fixes the issue on their end?

@jimmyandrade
Copy link
Collaborator

Will you be releasing a newer version of webfont, as and when svg2ttf fixes the issue on their end?

@PrashantChittiZS yes, I will :)

@wkeese
Copy link

wkeese commented Feb 2, 2022

Looks like this is fixed, sometime between 11.2.20 and 11.2.26. I think you can close the ticket.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jimmyandrade jimmyandrade

Labels
bug dependencies Pull requests that update a dependency file security
Projects
webfont bug triage
Needs triage
Milestone
No milestone
Development

No branches or pull requests
3 participants
@wkeese @jimmyandrade @PrashantChittiZS