[CVE-2022-23852] of underlying libexpat

[Ilmarinen100]

The underlying version of libexpat packaged in node-expat is most likely vulnerable to the vulnerability documented for libexpat < 2.4.4

• https://nvd.nist.gov/vuln/detail/CVE-2022-23852
• [CVE-2022-23852] Prevent XML_GetBuffer signed integer overflow libexpat/libexpat#550

[astro]

Using an OS with package management, I've always wondered why we vendored libexpat.

[Ilmarinen100]

Using an OS with package management, I've always wondered why we vendored libexpat.

If only all OSes brought libs like that ... but wait - we might even get fewer security fixes for older devices where nobody updates the OS :D

[hartwork]

Please note that Expat 2.4.5 with more security fixes has been released by now.

[AudunWA]

Are there any plans to upgrade the bundled libexpat version to latest?