Are there any problems when change package xmldom to xmldom/xmldom?

Vega Open Beta Q&A
1

Hi Vega Team!

I will release a vega application using shaka-player.
But prior to release it, I found a vulnerability exists in the xmldom as following
https://nvd.nist.gov/vuln/detail/CVE-2022-37616

so to solve this problem,
I will change [ “xmldom”: “~0.6.0”] to [ “@xmldom/xmldom”: “^0.9.9”].
I want to know,
After i do it, Are there any problems with the entire app?

Also, doses Amazon has any recommend specific xmldom versions which can solve the vulnerability problem.

Warm regards,
soseh

4

Hi @soseh

Thank you for flagging the CVE-2022-37616 vulnerability in xmldom.

You’re correct that @xmldom/xmldom is the actively maintained successor to the deprecated xmldom package, and upgrading to it is the standard approach to resolve this vulnerability.

Before making the change, could you clarify:

  1. Is xmldom a direct dependency in your app’s package.json, or does it come transitively through the Shaka Player dist build? On Vega, Shaka Player should be built using the Vega-specific dist generation steps. If xmldom is bundled inside that dist, the fix may need to be applied during the dist generation process rather than in your app’s dependencies directly.
  2. Which version of Shaka Player are you using, and did you follow the Vega-specific setup to generate the dist folder?

This will help us provide accurate guidance on where and how to make the change safely.

In general:

  • Replacing xmldom ~0.6.0 with @xmldom/xmldom ^0.9.9 is the correct fix for CVE-2022-37616
  • Be aware that @xmldom/xmldom has stricter parsing behavior in newer versions - so thorough testing of DASH manifest parsing and playback is recommended after the change
  • Update any import statements from require(‘xmldom’) to require(‘@xmldom/xmldom’) where applicable

Please test end-to-end playback (especially DASH content) after making the change and let us know if you encounter any issues.

Warm regards,
Ivy

6

Hi @Ivy_Mahajan
Thank you for your prompt response.

about question1
→ xmldom is a direct dependency in our app’s package.json

about question 2

Which version of Shaka Player are you using,

→ Shaka Playeris v4.6.18.

did you follow the Vega-specific setup to generate the dist folder?

→ Yes

Our app is currently playing DASH content.
I will contact you later with the test result after used ‘@xmldom/xmldom’

Warm regards,
soseh

7

Hi Soseh,

Thank you for confirming.

Since xmldom is a direct dependency in your package.json, you can safely replace it:

// Remove

"xmldom": "~0.6.0"

// Replace with

"@xmldom/xmldom": "^0.9.9"

And update any import statements in your code:

// Before

const { DOMParser } = require('xmldom');

// After

const { DOMParser } = require('@xmldom/xmldom');

Since you’re playing DASH content with Shaka Player v4.6.18, please specifically test:

  • DASH manifest loading and parsing
  • Playback start, seek, and quality switching
  • Any custom XML parsing your app does directly

Let us know if you run into any issues.

Warm regards,
Ivy

8

Hi @Ivy_Mahajan

I have tested all cases that contained you’ve mentioned,
and all is ok.

thanks for your cooperation.

Warm regards,
soseh