ActiveCampaign / postmark-cli

The official CLI tool for Postmark
https://postmarkapp.com
MIT License
79 stars 9 forks source link

A high severity vulnerability introduced in postmark-cli #49

Closed ayaka-kms closed 1 year ago

ayaka-kms commented 3 years ago

Hi, a vulnerability https://snyk.io/vuln/SNYK-JS-MERGE-1040469 is introduced in postmark-cli via: ● postmark-cli@1.5.11 ➔ watch@1.0.2 ➔ exec-sh@0.2.2 ➔ merge@1.2.1

However, watch is a legacy package, which has not been maintained for about 4 years. Is it possible to migrate watch to other package or remove it to remediate this vulnerability?

I noticed a migration record in other js repo for watch:

● in @google/clasp, version 2.3.2 ➔ 2.4.0, Migrate from watch to chokidar via commit ● in forever-monitor, version 1.5.2 ➔ 1.6.0, Migrate from watch to chokidar via commit

Are there any efforts planned that would remediate this vulnerability or migrate watch?

Thanks ; )

tomek-ac commented 1 year ago

This doesn't seem to be an issue any more. Thank you for reporting ✌️