Open priyaananthasankar opened 4 weeks ago
Thanks for raising the issue. fast-xml-parser is a downstream dependency of adaptive-expressions so the authors should update it there so that we can pull it in. Also, given the nature of the discovered vulnerability, how do you see it being abused in a tool like CLI that's typically used without direct user input that could be malformed?
@waldekmastykarz : good question. I am from the azure cloud shell team. Shell is used downstream by other services. at the moment we are not considering exploitability of the vuln, but we are expected to patch vulns ASAP due to security focus. How often do you pull the changes in?
@waldekmastykarz : good question. I am from the azure cloud shell team. Shell is used downstream by other services. at the moment we are not considering exploitability of the vuln, but we are expected to patch vulns ASAP due to security focus. How often do you pull the changes in?
We update all our dependencies to their latest version every month. At the end of each month, we publish a new release. We have our next PR ready https://github.com/pnp/cli-microsoft365/pull/6230
Thanks @waldekmastykarz - Just spoke to Tracy Boehrer from https://github.com/microsoft/botbuilder-js/releases and they plan to release a version of this in 2 weeks or earlier. And it seems like adaptive-expressions already upped the version to 4.4.1 https://github.com/microsoft/botbuilder-js/blob/0f1dd7e520847a4aaaa21820629b4dbfdd989142/libraries/adaptive-expressions/package.json#L39
Keeping this open to track this merge.
Thank you for bringing this to our attention @priyaananthasankar and additional information about the botbuilder package. We'll update our dependencies as soon as a new version of botbuilder is available.
I wonder if there's something wrong with the package though. If I look at the link you included it shows package version 4.1.6 with fast-xml-parser 4.4.1.
If I however look at the package that's on npm, here's what I'm seeing (https://www.npmjs.com/package/adaptive-expressions?activeTab=code):
This explains why despite using a newer version, we're still on the older version of fast-xml-parser.
Priority
(Medium) I'm annoyed but I'll live
Description
This internal dependency shows up in vuln scans for azure cloud shell that pulls from this repo:
fast-xml-parser usr/lib/nodemodules/@pnp/cli-microsoft365/nodemodules/fast-xml-parser/package.json. It shows as needs to be updated from 4.4.0 to 4.4.1
Please let us know if this patch is underway.
Steps to reproduce
N/A
Expected results
Upgrade 4.4.0 to 4.4.1 for fast-xml-parser.
Actual results
4.4.0
Diagnostics
No response
CLI for Microsoft 365 version
v6.11.0
nodejs version
v16.20.1
Operating system (environment)
Linux
Shell
Other
cli doctor
No response
Additional Info
No response