You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
When I build my project, I notice that a vulnerability CVE-2021-21366 detected in package xmldom(<0.5.0) is transitively referenced by jsonld-signatures@5.2.0.
However, jsonld-signatures@5.2.0 is so popular that a large number of latest versions of active and popular downstream projects depend on it (about 92 downstream projects, e.g., did-veres-one 13.0.2, @affinityproject/wallet-core-sdk 0.13.3, caelum 1.2.22, @affinityproject/issuer-util 1.0.0-beta.9, @affinityproject/common-lib 0.4.1, etc.).
In this case, the vulnerability CVE-2021-21366 can be propagated into these downstream projects and expose security threats to them.
As you can see, jsonld-signatures@5.2.0 is introduced into the above projects via the following package dependency paths:
(1)@kiltprotocol/vc-export@0.22.1 ➔ vc-js@0.6.4 ➔ jsonld-signatures@5.2.0 ➔ jsonld@2.0.2 ➔ xmldom@0.1.19
(2)hypersign-auth-js-sdk@2.0.6 ➔ hs-ssi-sdk@5.0.1 ➔ did-veres-one@12.2.0 ➔ ocapld@2.0.0 ➔ jsonld-signatures@5.2.0 ➔ jsonld@2.0.2 ➔ xmldom@0.1.19 ......
I know that it's kind of you to have removed the vulnerability since jsonld-signatures@7.0.0. But, in fact, the above large amount of downstream projects cannot easily upgrade jsonld-signatures from version 5.2.0 to (>=7.0.0):
The projects such as vc-js, which introduced jsonld-signatures@5.2.0, are not maintained anymore. These unmaintained packages can neither upgrade jsonld-signatures nor be easily migrated by the large amount of affected downstream projects.
Given the large number of downstream users, is it possible to release a new patched version with the updated dependency to remove the vulnerability from package jsonld-signatures@5.2.0?
Suggested Solution
Since these inactive projects set a version constaint 5.2.* for jsonld-signatures on the above vulnerable dependency paths, if jsonld-signatures removes the vulnerability from 5.2.0 and releases a new patched version jsonld-signatures@5.2.1, such a vulnerability patch can be automatically propagated into the downstream projects.
In jsonld-signatures@5.2.1, maybe you can try to perform the following upgrade: jsonld ^2.0.2 ➔ ^4.0.0; Note: jsonld@4.0.0(>=4.0.0) doesn't depend on xmldom any more .
Of course, you are welcome to share other ways to resolve the issue. ^_^
The text was updated successfully, but these errors were encountered:
Can you see what the simplest fix here is? Maybe jsonld@2 could have a patch release with a later xmldom -- or maybe that is more challenging, I don't know.
The projects such as vc-js, which introduced jsonld-signatures@5.2.0, are not maintained anymore.
Btw, vc-js is still maintained -- and maintained by the same team that maintains both jsonld and jsonld-signatures. Its npm package name has just changed from vc-js to the scoped @digitabazaar/vc to make maintenance easier. It all uses the same repository though: https://github.com/digitalbazaar/vc-js
Hi, @dlongley @dmitrizagidulin,
Issue Description
When I build my project, I notice that a vulnerability CVE-2021-21366 detected in package xmldom(<0.5.0) is transitively referenced by jsonld-signatures@5.2.0.
However, jsonld-signatures@5.2.0 is so popular that a large number of latest versions of active and popular downstream projects depend on it (about 92 downstream projects, e.g., did-veres-one 13.0.2, @affinityproject/wallet-core-sdk 0.13.3, caelum 1.2.22, @affinityproject/issuer-util 1.0.0-beta.9, @affinityproject/common-lib 0.4.1, etc.).
In this case, the vulnerability CVE-2021-21366 can be propagated into these downstream projects and expose security threats to them.
As you can see, jsonld-signatures@5.2.0 is introduced into the above projects via the following package dependency paths:
(1)
@kiltprotocol/vc-export@0.22.1 ➔ vc-js@0.6.4 ➔ jsonld-signatures@5.2.0 ➔ jsonld@2.0.2 ➔ xmldom@0.1.19
(2)
hypersign-auth-js-sdk@2.0.6 ➔ hs-ssi-sdk@5.0.1 ➔ did-veres-one@12.2.0 ➔ ocapld@2.0.0 ➔ jsonld-signatures@5.2.0 ➔ jsonld@2.0.2 ➔ xmldom@0.1.19
......
I know that it's kind of you to have removed the vulnerability since jsonld-signatures@7.0.0. But, in fact, the above large amount of downstream projects cannot easily upgrade jsonld-signatures from version 5.2.0 to (>=7.0.0):
The projects such as vc-js, which introduced jsonld-signatures@5.2.0, are not maintained anymore. These unmaintained packages can neither upgrade jsonld-signatures nor be easily migrated by the large amount of affected downstream projects.
Given the large number of downstream users, is it possible to release a new patched version with the updated dependency to remove the vulnerability from package jsonld-signatures@5.2.0?
Suggested Solution
Since these inactive projects set a version constaint 5.2.* for jsonld-signatures on the above vulnerable dependency paths, if jsonld-signatures removes the vulnerability from 5.2.0 and releases a new patched version jsonld-signatures@5.2.1, such a vulnerability patch can be automatically propagated into the downstream projects.
In jsonld-signatures@5.2.1, maybe you can try to perform the following upgrade:
jsonld ^2.0.2 ➔ ^4.0.0
;Note:
jsonld@4.0.0(>=4.0.0) doesn't depend on xmldom any more .
Of course, you are welcome to share other ways to resolve the issue. ^_^
The text was updated successfully, but these errors were encountered: