Security vulnerability: fast-xml-parser

[skhilliard]

It looks like there is a dependency on v5.3.1 of fast-xml-parser:

fast-xml-parser 4.1.3 - 5.3.5
Severity: critical
fast-xml-parser affected by DoS through entity expansion in DOCTYPE (no expansion limit) - GHSA-jmr7-xgp7-cmfj
fast-xml-parser has an entity encoding bypass via regex injection in DOCTYPE entity names - GHSA-m7jm-9gc2-mpf2

[timovv]

Hi @skhilliard, since @azure/core-xml takes a floating dependency on fast-xml-parser@^5.0.7, it will accept any version 5.0.7 or above and below 6.0.0. We can update the minimum here, but in the meantime, you should be able to resolve this issue immediately by doing a dependency upgrade (npm update, etc.), which will allow you to pull in a patched version of fast-xml-parser.

Let us know if you have any questions.

[cbelsole]

@azure/storage-file-share 12.30.0
└─┬ @azure/core-xml 1.4.4
  └── fast-xml-parser 4.5.4

@timovv The problem here is that @azure/core-xml's latest release version for @azure/storage-file-share is 1.4.4. So while you are correct the current verions of @azure/core-xml is compliant it is not available to @azure/storage-file-share.

[timovv]

Similar to core-xml's dependency on fast-xml-parser, storage-file-share takes a floating ^ dependency on core-xml. Any version of core-xml 1.4.4 and above that is below 2.0.0 would satisfy this requirement. That includes the most recently released version of core-xml. So I would expect a dependency upgrade to cover that situation also.