Is it possible to remove the vulnerability introduced by xmldom?

[bestrivens001]

Hi, @dlongley @dmitrizagidulin,

Issue Description

When I build my project, I notice that a vulnerability CVE-2021-21366 detected in package xmldom(<0.5.0) is transitively referenced by [email protected].
However, [email protected] is so popular that a large number of latest versions of active and popular downstream projects depend on it (about 92 downstream projects, e.g., did-veres-one 13.0.2, @affinityproject/wallet-core-sdk 0.13.3, caelum 1.2.22, @affinityproject/issuer-util 1.0.0-beta.9, @affinityproject/common-lib 0.4.1, etc.).
In this case, the vulnerability CVE-2021-21366 can be propagated into these downstream projects and expose security threats to them.
As you can see, [email protected] is introduced into the above projects via the following package dependency paths:
(1)@kiltprotocol/[email protected] ➔ [email protected] ➔ [email protected] ➔ [email protected] ➔ [email protected]
(2)[email protected] ➔ [email protected] ➔ [email protected] ➔ [email protected] ➔ [email protected] ➔ [email protected] ➔ [email protected]
......

I know that it's kind of you to have removed the vulnerability since [email protected]. But, in fact, the above large amount of downstream projects cannot easily upgrade jsonld-signatures from version 5.2.0 to (>=7.0.0):
The projects such as vc-js, which introduced [email protected], are not maintained anymore. These unmaintained packages can neither upgrade jsonld-signatures nor be easily migrated by the large amount of affected downstream projects.

Given the large number of downstream users, is it possible to release a new patched version with the updated dependency to remove the vulnerability from package [email protected]?

Suggested Solution

Since these inactive projects set a version constaint 5.2.* for jsonld-signatures on the above vulnerable dependency paths, if jsonld-signatures removes the vulnerability from 5.2.0 and releases a new patched version [email protected], such a vulnerability patch can be automatically propagated into the downstream projects.

In [email protected], maybe you can try to perform the following upgrade:
jsonld ^2.0.2 ➔ ^4.0.0;
Note:
[email protected](>=4.0.0) doesn't depend on xmldom any more .

Of course, you are welcome to share other ways to resolve the issue. ^_^

[dlongley]

@davidlehn,

Can you see what the simplest fix here is? Maybe jsonld@2 could have a patch release with a later xmldom -- or maybe that is more challenging, I don't know.

@bestrivens001,

The projects such as vc-js, which introduced [email protected], are not maintained anymore.

Btw, vc-js is still maintained -- and maintained by the same team that maintains both jsonld and jsonld-signatures. Its npm package name has just changed from vc-js to the scoped @digitabazaar/vc to make maintenance easier. It all uses the same repository though: https://github.com/digitalbazaar/vc-js