[x3d-public] Vunerability: X3DJSONLD (actually async referenced from java)
John Carlson
yottzumm at gmail.com
Tue May 3 12:33:17 PDT 2022
Note that nodejs.java does not solve the issue.
I will attempt to override async in package.json
On Tue, May 3, 2022 at 1:35 PM John Carlson <yottzumm at gmail.com> wrote:
> Note that there is a vulnerability in X3DJSONLD’s dependencies. The
> node.js interface to java, java at 0.12.2, depends on a vulnerable version
> of async, and afaik, this dependency has not been updated yet in java at 0.12.2,
> but read on.
>
> I believe I’ve removed using java at 0.12.2 from X3DJSONLD’s app.js server
> (for XML to JSON conversion), but the node.js examples found in
> X3DJSONLD/src/main/node/net/ should be run with caution. In general,
> generated ECMAscript should be used with care. JSON should be ok.
>
> I will try to approach this sometime today, but patches are welcome!
>
> All the more reason to develop an ES6 SAI.
>
> Note that there’s another package,
> https://www.npmjs.com/package/nodejs-java that may be more suitable (but
> has far fewer users). It looks like one can slip this in as a replacement.
>
> John
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://web3d.org/pipermail/x3d-public_web3d.org/attachments/20220503/f90e6b09/attachment.html>
More information about the x3d-public
mailing list