Yarn audit (possibly npm audit) reports a vulnerability.

[Kiran-B]

I have a project in which karma-sonarqube-unit-reporter is a dev dependency. When executing the command yarn audit it reports a vulnerability due to this package. I believe this would also be the case if you use npm audit.

Below is the audit report:

❯ yarn audit 
yarn audit v1.13.0
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ low           │ Prototype Pollution                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ lodash                                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=4.17.5                                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ karma-sonarqube-unit-reporter                                │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ karma-sonarqube-unit-reporter > xmlbuilder > lodash          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://nodesecurity.io/advisories/577                       │
└───────────────┴──────────────────────────────────────────────────────────────┘
1 vulnerabilities found - Packages audited: 43979
Severity: 1 Low

Steps to regenerate:

1. Add karma-sonarqube-unit-reporter as a dev dependency to a node based project. In my case it is an Angular 7.x project.

ng new testproj
yarn add --dev karma-sonarqube-unit-reporter

2. Execute yarn audit

Possible fix:

Upgrade xmlbuilder dependency from 3.1.0 to at least 4.2.1.

[tztz]

This is also fixed in #39