npm audit security vulnerabilities in @salesforce/cli@2.67.7

[AndrWeisR]

npm audit report of @salesforce/cli 2.67.7 reports high security vulnerabilities as below.

Reproduce with npm audit

npm audit report

cross-spawn 7.0.0 - 7.0.4 Severity: high Regular Expression Denial of Service (ReDoS) in cross-spawn - https://github.com/advisories/GHSA-3xgq-45jj-v275 fix available via npm audit fix node_modules/@salesforce/cli/node_modules/cross-spawn node_modules/@salesforce/cli/node_modules/npm/node_modules/cross-spawn node_modules/cross-spawn

path-to-regexp 0.2.0 - 1.8.0 || 4.0.0 - 6.2.2 Severity: high path-to-regexp outputs backtracking regular expressions - https://github.com/advisories/GHSA-9wv6-86v2-598j path-to-regexp outputs backtracking regular expressions - https://github.com/advisories/GHSA-9wv6-86v2-598j fix available via npm audit fix node_modules/@salesforce/cli/node_modules/@salesforce/cli-plugins-testkit/node_modules/path-to-regexp node_modules/@salesforce/cli/node_modules/path-to-regexp

sf version --verbose --json (node:24676) [DEP0040] DeprecationWarning: The punycode module is deprecated. Please use a userland alternative instead. (Use node --trace-deprecation ... to show where the warning was created) { "architecture": "win32-x64", "cliVersion": "@salesforce/cli/2.67.7", "nodeVersion": "node-v22.4.1", "osVersion": "Windows_NT 10.0.19045", "rootPath": "C:\Users\XXXXX\AppData\Roaming\npm\node_modules\@salesforce\cli", "shell": "cmd.exe", "pluginVersions": [ "@oclif/plugin-autocomplete 3.2.8 (core)", "@oclif/plugin-commands 4.1.8 (core)", "@oclif/plugin-help 6.2.16 (core)", "@oclif/plugin-not-found 3.2.25 (core)", "@oclif/plugin-plugins 5.4.15 (core)", "@oclif/plugin-search 1.2.14 (core)", "@oclif/plugin-update 4.6.10 (core)", "@oclif/plugin-version 2.2.15 (core)", "@oclif/plugin-warn-if-update-available 3.1.21 (core)", "@oclif/plugin-which 3.2.17 (core)", "@salesforce/cli 2.67.7 (core)", "apex 3.6.2 (core)", "api 1.3.2 (core)", "auth 3.6.73 (core)", "data 3.11.3 (core)", "deploy-retrieve 3.15.11 (core)", "info 3.4.18 (core)", "limits 3.3.39 (core)", "marketplace 1.3.4 (core)", "org 5.1.4 (core)", "packaging 2.9.0 (core)", "schema 3.3.40 (core)", "settings 2.4.4 (core)", "sobject 1.4.45 (core)", "telemetry 3.6.20 (core)", "templates 56.3.29 (core)", "trust 3.7.41 (core)", "user 3.6.2 (core)" ] }

[github-actions[bot]]

Hello @AndrWeisR :wave: It looks like you didn't include the full Salesforce CLI version information in your issue. Please provide the output of version --verbose --json for the CLI you're using (sf or sfdx).

A few more things to check:

• Make sure you've provided detailed steps to reproduce your issue.
  • A repository that clearly demonstrates the bug is ideal.
• Make sure you've installed the latest version of Salesforce CLI. (docs)
  • Better yet, try the rc or nightly versions. (docs)
• Try running the doctor command to diagnose common issues.
• Search GitHub for existing related issues.

Thank you!

[github-actions[bot]]

Thank you for filing this issue. We appreciate your feedback and will review the issue as soon as possible. Remember, however, that GitHub isn't a mechanism for receiving support under any agreement or SLA. If you require immediate assistance, contact Salesforce Customer Support.