fgoulet
commented
1 year ago I'd like to see this vulnerability addressed sometime also.
Closed ottoville closed 2 months ago
fgoulet
commented
1 year ago I'd like to see this vulnerability addressed sometime also.
dylan-smith
commented
1 year ago this is annoying, it's giving my project that uses the CLI package a security alert in github because of this, with no apparent way to address it short of getting rid of my reliance on the SWA CLI.
nkelly75
commented
11 months ago This is still an issue with @azure/static-web-apps-cli@1.1.4
FlippingBinary
commented
11 months ago Kind of disappointing that there has been no official response to this. However, I think this tool is supposed to be installed globally rather than as a project dependency.
Maybe the way this tool uses got would not present an opportunity for exploitation of the unix sockets (or would only present the opportunity to the dev who is using the tool), but the easy way to get rid of the security warnings is to simply remove it as a dependency and install it globally, as described in the Quick Start section of the readme.
adrianhall
commented
3 months ago WIP: This is a problem with update-notifier, which has had a PR since early last year for this CVE with no action.
Will investigate switching to alternate libraries, or maybe just including a simplified version in our CLI.
The SWA-CLI have dependency of GOT 9.6.0 package as seen in following diagram:
└─┬ @azure/static-web-apps-cli@1.1.1 └─┬ update-notifier@5.1.0 └─┬ latest-version@5.1.0 └─┬ package-json@6.5.0 └── got@9.6.0
The GOT package version before 12.1.0 have vulnerability CVE-2022-33987 https://nvd.nist.gov/vuln/detail/CVE-2022-33987