xml2js is vulnerable to prototype pollution

[mj-watts]

Just echoing the Dependabot warning that we had on our repo:

Dependabot cannot update xml2js to a non-vulnerable version
The latest possible version that can be installed is 0.4.23 because of the following conflicting dependencies:

@bbc/[email protected] requires xml2js@^0.4.5 via a transitive dependency on [email protected]
No patched version available for xml2js
The earliest fixed version is 0.5.0.

xml2js versions before 0.5.0 allows an external attacker to edit or add new properties to an object. This is possible because the application does not properly validate incoming JSON keys, thus allowing the proto property to be edited.

Temporary solution

Add the following to your package.json

"overrides": {
  "xml2js": "0.5.0"
}