abcoathup
commented
4 years ago Hi @shark0der!
Thanks so much for reporting it! The project owner will review and triage this issue during the next week.
Open shark0der opened 4 years ago
abcoathup
commented
4 years ago Hi @shark0der!
Thanks so much for reporting it! The project owner will review and triage this issue during the next week.
frangio
commented
4 years ago Thanks for reporting @shark0der. I looked into this and I don't think it's a vulnerability for OpenZeppelin CLI users, because the places where there could be command injection in the user's machine are controlled by the user.
shark0der
commented
4 years ago Hi @frangio! Indeed, like I said before, it doesn't seem like there's an impact (unless of course there are specific scenarios for some users), however, having npm audit report a critical vulnerability after the installation doesn't look pretty and might scare some users. That being said, fixing this doesn't need a very high priority but it would be nice to have it fixed sooner than later.
I've skimmed through the source, I wouldn't say you're affected but you'd probably want to remove the dependency and implement those functions yourself
Advisory: https://npmjs.com/advisories/1507
Usages
Looking at the dependency itself, I'd suggest implementing exec commands in your sdk and getting rid of the dep as it doesn't seem to be actively maintained.
Dep source: https://github.com/Manak/npm-programmatic/blob/master/index.js
Initially reported on Telegram: https://t.me/zeppelinos/12443