fix: mitigate libxmljs2 vulnerability (issue #1224) by omitting optional dependencies #1286
Conversation
• Added package.json configuration to omit optional dependencies by default • Created alternate test snapshots for running without optional dependencies • Updated integration tests to use different snapshots based on test context • Fixed code style issues • Added documentation about security measures 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <[email protected]>
thanks, but please open a ticket to discuss such critical breaking changes, first. I will not review it, until the details are discussed in such a ticket. First, I'claim there simply is no vulnerable dependency. You really should not trust arbitrary security reports from actors that publish unreviewed security reports. |
|
thank you for all your effort, but the content of this PR is not desirable
|
I changed the way that this is packaged so that it doesn't require optional, vulnerable dependencies. This should cause people who newly install this package, to not generate npm audit vulnerabilities.
For users who need to perform XML validation, they can install the optional dependency on xmljs.
I did leverage Claude Code (an AI coding assistant) to help me with this work. However I did not change the functionality of the npm, just the packaging, and I added new test cases to cover both the xml-validation-omitted and xml-validation-required scenarios, and I ensured that all existing and new tests passed.
• Added package.json configuration to omit optional dependencies by default
• Created alternate test snapshots for running without optional dependencies
• Updated integration tests to use different snapshots based on test context
• Fixed lint issues
• Added documentation about security measures
🤖 Generated with the help of Claude Code