[FEATURE] Solve fast-xml-parser vulnerable to Regex Injection via Doctype Entities

[mastazi]

Summary:

About a week ago, I have followed these steps https://github.com/dynamoose/dynamoose/security/policy but got no reply, so I'm raising this as a feature request here.

I have a Dependabot alert in a repo which uses Dynamoose:

fast-xml-parser vulnerable to Regex Injection via Doctype Entities
The latest possible version that can be installed is 4.1.2 because of the following conflicting dependency:
[email protected] requires [email protected] via a transitive dependency on @aws-sdk/[email protected]
The earliest fixed version is 4.2.4.

I noted this PR opened by Dependabot here in Dynamoose repo: #1610 - this would solve the issue, given that the alert above is classified as "High Severity", is there a timeline for this to be released?

Code sample:

Schema

// N/A

Model

// N/A

General

// N/A

Environment:

Operating System: // N/A
Operating System Version: // N/A
Node.js version (node -v): 16.19.1
NPM version: (npm -v): 6.14.13
Dynamoose version: 3.2.0

Other information (if applicable):

Other:

• [*] I have read through the Dynamoose documentation before posting this issue
• [*] I have searched through the GitHub issues (including closed issues) and pull requests to ensure this feature has not already been suggested before
• [*] I have filled out all fields above
• [*] I am running the latest version of Dynamoose

[fishcharlie]

@mastazi I see absolutely no record that you contacted me. What date and time did you contact me and using what method?

[mastazi]

Hi @fishcharlie I contacted you on a gmail address that was listed at https://github.com/dynamoose/dynamoose/security/policy

the subject line was

Vulnerability in Dynamoose due to transitive dependency

The email was sent on the 11th of June 2023, at 1:24 pm AEST (UTC +10)