search

SAP / ui5-tooling

An open and modular toolchain to develop state of the art applications based on the UI5 framework
https://sap.github.io/ui5-tooling
Apache License 2.0
465 stars 69 forks source link

Micromatch <4.0.8 used in ui5/cli CVE-2024-4067 #1005

Closed marcmuschko closed 2 weeks ago

marcmuschko commented 3 weeks ago

Hope this issue is the way to go, as the security vulnerability itself is not owned by SAP but only used in this repository.

Current Behavior

A github bot / npm security warning due to dependency "micromatch" 4.0.7 in ui5/cli is failing our builds (Whitesource ccompliance). We are using ui5/cli 3.11.1 but it seems the same issue occurs in ui5/cli 4.0.5.

Expected Behavior

No security finding is found by github, by unpinning micromatch 4.0.7 / increasing to 4.0.8 If possible for a ui5 cli version 3.X.X, likely 3.11.2, as we cannot update yet to 4.X.X.

Steps to Reproduce the Issue

  1. Create a new project using ui5/cli via npm
  2. Commit project to github with dependency checks enabled
  3. See security tab

Context

d3xter666 commented 2 weeks ago

Hi @marcmuschko ,

Thanks for this ticket!

The dependency is already resolved within the code: https://github.com/SAP/ui5-fs/blob/main/package.json and https://github.com/SAP/ui5-tooling/pull/1004

RandomByte commented 2 weeks ago

We released UI5 CLI v4.0.6 and v3.11.2 where the dependency has been updated accordingly.