Node Module Security Updates needed

[intrepidsilence]

When installing the required npm modules, you get:

root@roon-volume:~/roon-extension-denon# npm install
npm WARN skipping integrity check for git dependency ssh://git@github.com/roonlabs/node-roon-api-volume-control.git
npm WARN skipping integrity check for git dependency ssh://git@github.com/roonlabs/node-roon-api-status.git
npm WARN skipping integrity check for git dependency ssh://git@github.com/roonlabs/node-roon-api-source-control.git
npm WARN skipping integrity check for git dependency ssh://git@github.com/roonlabs/node-roon-api-settings.git
npm WARN skipping integrity check for git dependency ssh://git@github.com/roonlabs/node-roon-api.git
npm WARN deprecated node-uuid@1.4.8: Use uuid module instead

added 21 packages, and audited 22 packages in 1s

1 package is looking for funding
  run `npm fund` for details

3 vulnerabilities (1 moderate, 2 high)

To address all issues possible (including breaking changes), run:
  npm audit fix --force

Some issues need review, and may require choosing
a different dependency.

Run `npm audit` for details.

Then when running the audit fix:

root@roon-volume:~/roon-extension-denon# npm audit fix --force
npm WARN using --force Recommended protections disabled.
npm WARN audit Updating fast-xml-parser to 4.5.1, which is a SemVer major change.
npm WARN audit No fix available for node-roon-api@

changed 1 package, and audited 22 packages in 4s

1 package is looking for funding
  run `npm fund` for details

# npm audit report

ip  *
Severity: high
ip SSRF improper categorization in isPublic - https://github.com/advisories/GHSA-2p57-rm9w-gvfp
No fix available
node_modules/ip
  node-roon-api
  Depends on vulnerable versions of ip
  node_modules/node-roon-api

2 high severity vulnerabilities

Some issues need review, and may require choosing
a different dependency.

[docbobo]

Actually, I don't believe this is fixed by #10. There is no newer version of node-roon-api available that fixes the vulnerability. Maybe that needs to be reported over there.

[docbobo]

The only thing that we can fix here is the fast-xml-parser change.

@jcharr1 is there any chance you can give that a try on your end? According to the version number, it could be breaking and I don't have any means to verify this. I could also prepare the change in a separate branch if that helps. LMK.

[jcharr1]

I bumped fast-xml-parser and it seems to be working fine. You can test it out with my fork or my docker image: ghcr.io/jcharr1/roon-extension-denon:master

I also tried forking the node-roon-api and bumping ip to the most recent version but npm install still gives the same warning. So apparently it's not fixed on their end yet.

[docbobo]

Bumping fast-xml-parser would at least be sufficient to get rid of the one security alert we have on the project - do you want to create a PR for this?

[docbobo]

Okay, the fast-xml-parser issue should be fixed by #12.