lsmith77 commented 3 months ago

Prerequisites

Please answer the following questions before submitting an issue. YOU MAY DELETE THE PREREQUISITES SECTION.

[x] I am running the latest version of Node and the tools
[x] I checked the documentation and found no answer
[x] I checked to make sure that this issue has not already been filed

Expected behavior

Please describe the behavior you were expecting

No known vulnerabilities in the code and its dependencies.

Current behavior

The latest possible version that can be installed is 3.4.2 because of the following conflicting dependencies:

office-addin-debugging@5.1.2 requires @azure/identity@^3.1.3 via a transitive dependency on @microsoft/teamsapp-cli@3.0.0
office-addin-debugging@5.1.2 requires @azure/identity@^3.1.3 via a transitive dependency on @microsoft/teamsfx-core@2.0.7
No patched version available for @azure/identity

https://cwe.mitre.org/data/definitions/362.html

I am opening this security issue as an issue, since the vulnerability is already public.

millerds commented 3 months ago

Fix is already checked in . . . it just needs to be published (happening soon).

https://github.com/OfficeDev/Office-Addin-Scripts/pull/870

lsmith77 commented 3 months ago

thx for the releases.

millerds commented 3 months ago

New package published.

OfficeDev / Office-Addin-Scripts

Azure Identity Libraries and Microsoft Authentication Library Elevation of Privilege Vulnerability #872

Prerequisites

Expected behavior

Current behavior