I am developing a Microsoft Office PowerPoint React add-in using various packages. I used Yeoman to start working with the example add-in. Later, I installed "antd" and "react-router-dom". However, upon running npm audit, I received a message indicating 9 high severity vulnerabilities, with the most critical being related to the xml2js package. The full audit report message is provided below. As multiple packages depend on xml2js, and there is currently no fix available for the vulnerability, I am concerned about the security of my add-in. Can you please provide steps that I can take to address this vulnerability and ensure the security of my add-in?
Thank you in advance for your help.
PD: My current environment includes Node v18.15.0, React v17.0.2, and React-Router-DOM v5.3.4."
# npm audit report
xml2js <0.5.0
Severity: high
xml2js is vulnerable to prototype pollution - https://github.com/advisories/GHSA-776f-qx25-q3cc
No fix available
node_modules/xml2js
@azure/core-http <=3.0.0
Depends on vulnerable versions of xml2js
node_modules/@azure/core-http
node_modules/@azure/storage-blob/node_modules/@azure/core-http
@microsoft/teamsfx-api *
Depends on vulnerable versions of @azure/core-http
node_modules/@microsoft/teamsfx-api
@microsoft/teamsfx-core *
Depends on vulnerable versions of @microsoft/teamsfx-api
Depends on vulnerable versions of office-addin-manifest
Depends on vulnerable versions of xml2js
node_modules/@microsoft/teamsfx-core
@microsoft/teamsfx-cli *
Depends on vulnerable versions of @azure/core-http
Depends on vulnerable versions of @microsoft/teamsfx-api
Depends on vulnerable versions of @microsoft/teamsfx-core
node_modules/@microsoft/teamsfx-cli
office-addin-dev-settings *
Depends on vulnerable versions of @microsoft/teamsfx-cli
Depends on vulnerable versions of office-addin-manifest
node_modules/office-addin-dev-settings
@azure/ms-rest-js <=2.6.4
Depends on vulnerable versions of xml2js
node_modules/@azure/ms-rest-js
office-addin-manifest *
Depends on vulnerable versions of xml2js
node_modules/office-addin-manifest
office-addin-debugging *
Depends on vulnerable versions of office-addin-dev-settings
Depends on vulnerable versions of office-addin-manifest
node_modules/office-addin-debugging
9 high severity vulnerabilities
To address issues that do not require attention, run:
npm audit fix
Some issues need review, and may require choosing
a different dependency.
I did not try to uninstall xml2js, as the question below suggests because I don't think that solution is relevant to the MS Office Add-in I'm developing.
Office web add-ins can be considered as regular NodeJS based web applications. So, the same security rules can be applied to web add-ins as well as web applications. The link posted provides possible solutions to the issue.