static-web-apps-cli icon indicating copy to clipboard operation
static-web-apps-cli copied to clipboard

Published 20 hours ago verified publisher icon Azure

GOT dependency vulnerability

Open ottoville opened this issue 1 year ago • 5 comments

The SWA-CLI have dependency of GOT 9.6.0 package as seen in following diagram:

└─┬ @azure/[email protected] └─┬ [email protected] └─┬ [email protected] └─┬ [email protected] └── [email protected]

The GOT package version before 12.1.0 have vulnerability CVE-2022-33987 https://nvd.nist.gov/vuln/detail/CVE-2022-33987

ottoville avatar Apr 02 '23 16:04 ottoville

I'd like to see this vulnerability addressed sometime also.

fgoulet avatar Jul 25 '23 12:07 fgoulet

this is annoying, it's giving my project that uses the CLI package a security alert in github because of this, with no apparent way to address it short of getting rid of my reliance on the SWA CLI.

image

dylan-smith avatar Sep 22 '23 16:09 dylan-smith

This is still an issue with @azure/[email protected]

nkelly75 avatar Oct 18 '23 19:10 nkelly75

Kind of disappointing that there has been no official response to this. However, I think this tool is supposed to be installed globally rather than as a project dependency.

Maybe the way this tool uses got would not present an opportunity for exploitation of the unix sockets (or would only present the opportunity to the dev who is using the tool), but the easy way to get rid of the security warnings is to simply remove it as a dependency and install it globally, as described in the Quick Start section of the readme.

FlippingBinary avatar Oct 26 '23 12:10 FlippingBinary