Closed gabriele-sacchi closed 5 years ago
Security analysis tools such as Snyk are intended to highlight vulnerabilities in node.js packages which may be exploited. This may happen when the package is deployed as part of a web application or node.js webserver to a remote, public-facing server in which code could be injected to exploit the vulnerability.
However, this plugin consists of hook scripts which are used to manipulate the native platform projects of a Cordova project on a development machine before building of those projects to create a native app. Since neither those scripts nor the dependencies mentioned are every deployed elsewhere, then the highlighted vulnerabilities are irrelevant since the packages mentioned will never be placed in an environment other than the developer's local machine and therefore in an environment which their vulnerabilities will be exploited.
For this reason, this issue is being closed as not relevant.
Bug Report
Problem
Snyk (https://www.npmjs.com/package/snyk) querying a database of known vulnerabilities revealed this critical security vulnerability:
What is expected to happen?
No security vulnerabilities should be found by Snyk
What does actually happen?
High severity security vulnerability found by Snyk
Information
Steps to reproduce:
npm snyk
snyk test
Command or Code
See above
Environment, Platform, Device
Any
Version information
latest version
Checklist