High severity vulnerability in pcf-scripts package due to dependency on xml2js

Have you noticed recently that when you run npm install on your PCF projects, you get a high severity vulnerabilities error (or maybe you were spammed by the GitHub 🤖 dependabot like I was)?
Luckily, it's not necessarily a reason to panic! 😅

As of the time of writing this (14th April 2023), there is currently a vulnerability in the xml2js package which pcf-scripts depends on, so if you run npm audit, you will see something like:

# npm audit report

xml2js  <0.5.0
Severity: high
xml2js is vulnerable to prototype pollution  - https://github.com/advisories/GHSA-776f-qx25-q3cc
No fix available
node_modules/xml2js
  pcf-scripts  *
  Depends on vulnerable versions of xml2js
  node_modules/pcf-scripts
  pcf-start  *
  Depends on vulnerable versions of xml2js
  node_modules/pcf-start

3 high severity vulnerabilities

This error is not as scary as it sounds and the good news is that the pcf-scripts package is only used a build-time and it doesn't get used at run-time. The xml2js package doesn't affect the functionality or security of your PCF control at all (unless you are using it in your own code of course!) since it is not included in your final PCF bundle.js when used by the pcf-scripts package. 🙌

So how do you fix this? 🤔

Well until the owner of the xml2js package releases a new version or the pcf-scripts package is updated not to require it, there isn't anything you can do!

Since pcf-scripts is included in the devDependencies section of the packages.json and is only used for development purposes, the way to determine if you have any issues that will impact your PCF bundle.js is to run the command:

npm audit --omit=dev

This will check only the packages that are in the dependencies section, and you should get the message:

found 0 vulnerabilities

Congratulations! 🥳

Comments are closed