flxbl-io / sfp

A build system for modular development in Salesforce
https://docs.flxbl.io/sfp/
MIT License
29 stars 15 forks source link

Vulnerable package org.scala-lang:scala-library:2.13.3 included in sfp-lite packages for 38.4.1 and 39.0.3 #92

Closed thraco closed 3 months ago

thraco commented 3 months ago

Describe the bug

49 did not completely resolve the issue raised in #46 by @JonnyPower. scala-library:2.13.3 is still included in the published packages for 38.4.1 and 39.0.3. #47 was closed without merging, but did include the upgrade of this package to 2.13.13.

To Reproduce Steps to reproduce the behavior:

Expected behavior sfp-lite no longer includes scala-library:2.13.3, which has the critical vulnerability CVE-2022-36944

azlam-abdulsalam commented 3 months ago

@thraco thanks for brining this into attention, we will release a patch asap

thraco commented 3 months ago

thanks @azlam-abdulsalam!

azlam-abdulsalam commented 3 months ago

We are facing some issues while rebuilding apexlink, will keep everyone posted when the patch is ready

azlam-abdulsalam commented 3 months ago

Fixed in https://github.com/flxbl-io/sfp/commit/783b1c999463fd9d08b15f5c03029682f5a57b19

thraco commented 3 months ago

Fantastic, thank you @azlam-abdulsalam !