Hello !
When installing "@forge/cli": "^6.21.0",
I get the audit report with high and critical vulnerabilities.
I understand we are in a fast-paced environment, yet reading and audit report with critical and high vulnerabilities raises some concerns for me.
Any chance it gets addressed in the upcoming releases ?
Audit report below
# npm audit report
browserify-sign 2.6.0 - 4.2.1
Severity: high
browserify-sign upper bound check issue in `dsaVerify` leads to a signature forgery attack - https://github.com/advisories/GHSA-x9w5-v3q2-3rhw
fix available via `npm audit fix`
node_modules/@forge/cli/node_modules/browserify-sign
loader-utils 2.0.0 - 2.0.3
Severity: critical
loader-utils is vulnerable to Regular Expression Denial of Service (ReDoS) via url variable - https://github.com/advisories/GHSA-3rfm-jhwj-7488
loader-utils is vulnerable to Regular Expression Denial of Service (ReDoS) - https://github.com/advisories/GHSA-hhq3-ff78-jv3g
Prototype pollution in webpack loader-utils - https://github.com/advisories/GHSA-76p3-8jx3-jpfq
fix available via `npm audit fix`
node_modules/@forge/cli/node_modules/loader-utils
nth-check <2.0.1
Severity: high
Inefficient Regular Expression Complexity in nth-check - https://github.com/advisories/GHSA-rp65-9cf3-cjxr
fix available via `npm audit fix --force`
Will install @forge/cli@0.23.0, which is a breaking change
node_modules/@forge/cli/node_modules/nth-check
css-select <=3.1.0
Depends on vulnerable versions of nth-check
node_modules/@forge/cli/node_modules/cheerio/node_modules/css-select
cheerio 0.19.0 - 1.0.0-rc.3
Depends on vulnerable versions of css-select
node_modules/@forge/cli/node_modules/cheerio
@forge/bundler <=0.0.0-experimental-fbe27f8 || >=0.7.11-next.0
Depends on vulnerable versions of @forge/cli-shared
Depends on vulnerable versions of @forge/lint
Depends on vulnerable versions of cheerio
node_modules/@forge/cli/node_modules/@forge/bundler
@forge/cli <=0.0.0-experimental-a9f00a0 || >=0.24.0-next.7
Depends on vulnerable versions of @forge/bundler
Depends on vulnerable versions of @forge/cli-shared
Depends on vulnerable versions of @forge/lint
Depends on vulnerable versions of @forge/manifest
Depends on vulnerable versions of @forge/tunnel
Depends on vulnerable versions of cheerio
node_modules/@forge/cli
@forge/tunnel <=0.0.1-next.15 || >=0.5.5-next.0
Depends on vulnerable versions of @forge/bundler
Depends on vulnerable versions of @forge/cli-shared
Depends on vulnerable versions of @forge/csp
node_modules/@forge/cli/node_modules/@forge/tunnel
@forge/cli-shared >=0.12.2-next.0
Depends on vulnerable versions of @forge/manifest
Depends on vulnerable versions of cheerio
node_modules/@forge/cli/node_modules/@forge/cli-shared
@forge/lint <=0.0.0-experimental-fbe27f8 || >=0.4.5-next.0
Depends on vulnerable versions of @forge/cli-shared
Depends on vulnerable versions of @forge/manifest
node_modules/@forge/cli/node_modules/@forge/lint
@forge/csp *
Depends on vulnerable versions of cheerio
node_modules/@forge/cli/node_modules/@forge/csp
@forge/manifest <=0.0.0-experimental-fbe27f8 || >=2.3.1-next.0
Depends on vulnerable versions of cheerio
node_modules/@forge/cli/node_modules/@forge/manifest
12 vulnerabilities (11 high, 1 critical)
To address issues that do not require attention, run:
npm audit fix
To address all issues (including breaking changes), run:
npm audit fix --force