[Security Vulnerabilities ] High severity vulnerability exists in Heroku CLI (heroku/9.2.1 linux-x64 node-v16.20.2)

[debabrata-shome]

This project is for the Heroku CLI only and issues are reviewed as we are able. If you need more immediate assistance or help with anything not specific to the CLI itself, please use https://help.heroku.com.

Do you want to request a feature or report a bug?

I am trying to report a High-severity (P0) security bug that is present in Heroku CLI due to dependent libraries

• npm:plist
• npm:ip
• npm:ejs
• npm:exca

Version Details : heroku/9.2.1 linux-x64 node-v16.20.2

What is the current behavior?

If the current behavior is a bug, please provide the steps to reproduce.

• https://cwe.mitre.org/data/definitions/1321.html
• https://cwe.mitre.org/data/definitions/78.html
• https://cwe.mitre.org/data/definitions/74.html
• https://cwe.mitre.org/data/definitions/918.html

More details on CVEs

• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-29827
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-42282
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-39353
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-37616

What is the expected behavior?

Please update the third party library to remediate the vulnerabilities from Heroku CLI

[sbosio]

Hi @debabrata-shome, we're working on our upcoming release for Heroku CLI v10 that will drop support for Node 16 and will allow us to upgrade some blocked dependencies and get rid of all of these vulnerabilities.

We'll let you know when our next major version release is out and close this report.

Best!