search

tableau / extensions-api

Extensions API sample code and developer docs.
http://tableau.github.io/extensions-api
MIT License
268 stars 251 forks source link

npm tableau/tabextsandbox has vulnerabilities #510

Closed AO-91 closed 1 year ago

AO-91 commented 2 years ago

When I follow https://tableau.github.io/extensions-api/docs/trex_getstarted.html and install I get vulnerabilitiy warnings:

# npm audit report

ejs  <3.1.7
Severity: critical
Template injection in ejs - https://github.com/advisories/GHSA-phwq-j96m-2c2q
No fix available
node_modules/ejs
  @tableau/tabextsandbox  *
  Depends on vulnerable versions of ejs
  Depends on vulnerable versions of optimist
  node_modules/@tableau/tabextsandbox

minimist  <=1.2.5
Severity: critical
Prototype Pollution in minimist - https://github.com/advisories/GHSA-xvch-5gv4-984h
Prototype Pollution in minimist - https://github.com/advisories/GHSA-vh95-rmgr-6w4m
fix available via `npm audit fix`
node_modules/@tableau/tabextsandbox/node_modules/minimist
  optimist  >=0.6.0
  Depends on vulnerable versions of minimist
  node_modules/@tableau/tabextsandbox/node_modules/optimist

4 vulnerabilities (1 moderate, 3 critical)

the fix using npm audit doesn't work. It seems like npm minimist is using version 0.0.1. 

+-- @tableau/tabextsandbox@1.9.0
| `-- optimist@0.6.1
|   `-- minimist@0.0.10

Just wanted to bring it to your attention. If this is something that I can fix on my end then any advice is much appreciated!

johnDance commented 2 years ago

Thank you for bringing this to our attention. We will get the dependencies updated. John

johnDance commented 1 year ago

Fixed in version 1.10.0 Thank you.