I conducted a yarn audit and found vulnerabilities in two packages: xmldom, which is used within the Shaka Player polyfills file, and logkitty, which is used internally by @amazon-devices/react-native-w3cmedia. If possible, I would appreciate it if you could address these vulnerabilities.
Regarding xmldom, I have installed the latest version, 0.6.0, but the vulnerability is still being reported. If it is necessary to replace this package with an alternative, please let me know.
(not an amzn rep)
I think that xmldom vuln looks mislabeled. I would not rate that as a critical myself. or even a vuln
Here’s what I can share at this point:
For the logkitty vulnerability: This is used internally by our @amazon-devices/react-native-w3cmedia package. The good news is there’s a patch available (version >=0.7.1). Our team needs to update the dependency on our end and release a new version of the SDK.
For the xmldom vulnerability: I see you’ve already upgraded to v0.6.0. @Jason_Aeschliman mentioned this might be mislabeled as critical. I’m checking with the engineering team to see if this actually impacts your use case with Shaka Player polyfills, or if we need to recommend an alternative package.
Warm regards,
Ivy
I found a description of the xmldom issue here: Allows multiple root elements in a DOM tree · Advisory · xmldom/xmldom · GitHub
It looks as though it did cause a security issue with a SAML authentication lib that depended on it at some point, but the library has been patched for quite some time (~a few years)
Hi @Ivy_Mahajan
Thank you for your quick response. I appreciate your team looking into this. As @Jason_Aeschliman mentioned above, the vulnerability in xmldom seems to stem from a potential bug. I am a little bit concerned about the impact this might have on our application in a production environment.
please let me know once you have any further information regarding this.
Best regards,
Jo Shinozaki
we have made change to update @amazon-devices/react-native-w3cmedia removing dependency on react-native-tscodegen-types@0.66.0 which was pulling logkitty@0.6.1 having the vulnerability.
Dependency chain leading to vulnerability(removed now):
Consumer (@amzn/react-native-w3cmedia)
react-native-tscodegen-types@0.66.0
→ react-native@0.60.6
→ @react-native-community/cli-platform-android@2.9.0
→ logkitty@0.6.1 :warning:
Changes are flowing through internal pipeline, can expect to be made available in SDK version 22.2
This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.
