Closed ottoville closed 2 months ago
I'd like to see this vulnerability addressed sometime also.
this is annoying, it's giving my project that uses the CLI package a security alert in github because of this, with no apparent way to address it short of getting rid of my reliance on the SWA CLI.
This is still an issue with @azure/static-web-apps-cli@1.1.4
Kind of disappointing that there has been no official response to this. However, I think this tool is supposed to be installed globally rather than as a project dependency.
Maybe the way this tool uses got
would not present an opportunity for exploitation of the unix sockets (or would only present the opportunity to the dev who is using the tool), but the easy way to get rid of the security warnings is to simply remove it as a dependency and install it globally, as described in the Quick Start section of the readme.
WIP: This is a problem with update-notifier, which has had a PR since early last year for this CVE with no action.
Will investigate switching to alternate libraries, or maybe just including a simplified version in our CLI.
The SWA-CLI have dependency of GOT 9.6.0 package as seen in following diagram:
└─┬ @azure/static-web-apps-cli@1.1.1 └─┬ update-notifier@5.1.0 └─┬ latest-version@5.1.0 └─┬ package-json@6.5.0 └── got@9.6.0
The GOT package version before 12.1.0 have vulnerability CVE-2022-33987 https://nvd.nist.gov/vuln/detail/CVE-2022-33987