Vulnerability CVE-2022-39353

[Boot750]

Beginning in November the vulnerability CVE-2022-39353 with xmldom has been reported.
The library is still used in the configured version of msw/interceptors (0.17.6).

With version 0.18.3 the vulnerability was removed by removing the library. At what time will the version of msw/interceptors be updated?

For someone running into this issue with a code analysis software, you can force upgrade to version of xmldom to 0.8.5, which is compatible with 0.17.6 version of interceptors.

https://nvd.nist.gov/vuln/detail/CVE-2022-39353

[kettanaito]

Hey, @Boot750.

We are unlikely to update to @mswjs/interceptors@0.18 before #1436 lands. 0.18 introduces a number of breaking changes that are beneficial in the context of #1436 and make little sense when applied to the current version of MSW. ETA of this is, hopefully, Q1 of 2023.

You can help make this a reality faster by helping us test #1436. I'm planning on announcing more details around this/next week if everything goes well.

If you're affected by this, I highly recommend resolving @xmldom/xmldom to the version with the fix on your side using NPM overrides/Yarn resolutions/etc.

[Boot750]

@kettanaito thank you very much for the update. I will continue with the override of the version 👍