vmapetr
commented
1 month ago Hi @bvida01 thanks for reporting! We are working on more prioritized issues at the moment, but will get back to this one soon.
Open bvida01 opened 2 months ago
vmapetr
commented
1 month ago Hi @bvida01 thanks for reporting! We are working on more prioritized issues at the moment, but will get back to this one soon.
What happened?
Part of the agent deliveries is vso-task-lib. It is mentioned in the src/Misc/externals.sh file:
acquireExternalTool "$CONTAINER_URL/vso-task-lib/0.5.5/vso-task-lib.tar.gz" vso-task-libAccording to npmjs.com, vso-task-lib is deprecated: https://www.npmjs.com/package/vso-task-lib. Instead azure-pipelines-task-lib should be used.
The vso-task-lib itself has vulnerable dependencies, which are constantly revealed by the security scanners.
Is it possible to exclude vso-task-lib and use azure-pipelines-task-lib instead?
Versions
Pipelines Agent v3.240.1 / Linux x64
Environment type (Please select at least one enviroment where you face this issue)
Azure DevOps Server type
dev.azure.com (formerly visualstudio.com)
Azure DevOps Server Version (if applicable)
No response
Operation system
No response
Version controll system
No response
Relevant log output
No response