Critical security issue on npm audit

alejandroiglesias commented 6 months ago

Hi! We're using this plugin as a part of our ESlint config, but there is a critical security issue thrown by npm audit that would require eslint-plugin-knex to update the eslint-remote-tester to the latest version to be fixed.

# npm audit report

simple-git  <=3.15.1
Severity: critical
Command injection in simple-git - https://github.com/advisories/GHSA-3f95-r44v-8mrg
Remote code execution in simple-git - https://github.com/advisories/GHSA-9w5j-4mwv-2wj8
Command injection in simple-git - https://github.com/advisories/GHSA-28xr-mwxg-3qc8
simple-git vulnerable to Remote Code Execution when enabling the ext transport protocol - https://github.com/advisories/GHSA-9p95-fxvg-qgq2
fix available via `npm audit fix --force`
Will install [...]/eslint-config-[...]@4.1.0, which is a breaking change
node_modules/simple-git
  eslint-remote-tester  <=2.1.1
  Depends on vulnerable versions of simple-git
  node_modules/eslint-remote-tester
    eslint-plugin-knex  >=0.2.0
    Depends on vulnerable versions of eslint-remote-tester
    node_modules/eslint-plugin-knex
      [...]/eslint-config-[...] >=4.1.1
      Depends on vulnerable versions of eslint-plugin-knex
      node_modules/[...]/eslint-config-[...]

AntonNiklasson commented 6 months ago

PRs are welcome :)

AntonNiklasson commented 6 months ago

eslitn-remote-tester is just a dev dependency now (see #21). Is that enough to fix it on your side?

AntonNiklasson / eslint-plugin-knex

Critical security issue on npm audit #25