[x3d-public] Vunerability: X3DJSONLD (actually async referenced from java)

John Carlson yottzumm at gmail.com
Tue May 3 11:35:51 PDT 2022

Note that there is a vulnerability in X3DJSONLD’s dependencies.   The
node.js interface to java, java at 0.12.2, depends on a vulnerable version of
async, and afaik, this dependency has not been updated yet in java at 0.12.2,
but read on.

I believe I’ve removed using java at 0.12.2 from X3DJSONLD’s app.js server
(for XML to JSON conversion), but the node.js examples found in
X3DJSONLD/src/main/node/net/ should be run with caution.   In general,
generated ECMAscript should be used with care.  JSON should be ok.

I will try to approach this sometime today, but patches are welcome!

All the more reason to develop an ES6 SAI.

Note that there’s another package,
https://www.npmjs.com/package/nodejs-java that may be more suitable (but
has far fewer users).  It looks like one can slip this in as a replacement.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://web3d.org/pipermail/x3d-public_web3d.org/attachments/20220503/9d76b4c4/attachment.html>

More information about the x3d-public mailing list