Vulnerability reported due to optionator v0.9.1 transitive dependency

stoplightio / spectral

A flexible JSON/YAML linter for creating automated style guides, with baked in support for OpenAPI v3.1, v3.0, and v2.0 as well as AsyncAPI v2.x.

https://stoplight.io/spectral

Apache License 2.0

2.43k stars 235 forks source link

Vulnerability reported due to optionator v0.9.1 transitive dependency #2499

Closed padamstx closed 1 year ago

padamstx commented 1 year ago

Chore summary The @stoplight/spectral-cli package has an indirect dependency on optionator v0.9.1, which has a vulnerability (CVE-2023-26115) due to its "word-wrap" dependency. Optionator v0.9.3 was recently released which fixes this by using a different "word-wrap" package.

The purpose of this issue is to request that spectral-cli be updated to avoid this CVE.

Tasks

[ ] Upgrade dependencies so that optionator v0.9.3 is used in order to avoid CVE-2023-26115

Additional context n/a

Jokinen commented 1 year ago

In our research, we noticed this kind of a dependency path for word-wrap.

@stoplight/spectral-cli@6.8.0
└─┬ proxy-agent@5.0.0
  └─┬ pac-proxy-agent@5.0.0
    └─┬ pac-resolver@5.0.1
      └─┬ degenerator@3.0.4
        └─┬ escodegen@1.14.3
          └─┬ optionator@0.8.3
            └── word-wrap@1.2.3

P0lip commented 1 year ago

Should be addressed by #2513 which drops proxy-agent

padamstx commented 1 year ago

Thanks for addressing this, @P0lip !

stoplight-bot commented 1 year ago

:tada: This issue has been resolved in version 6.9.0 :tada:

The release is available on npm package (@latest dist-tag)

Your semantic-release bot :package::rocket: