After running “npm install -g @forge/cli@latest”, #
I get: 15 vulnerabilities (2 low , 1 moderate , 12 high )
Are the dependencies outdated or no longer maintained?
Kind regards,
Frank
Hey,
Nothing to worry in my opinion:
- The
npm auditsystem has some lacks. See this article: “npm audit: Broken by Design” - The Forge CLI is not shipped with your app (since it’s just a CLI), same thing for its vulnerabilities
Regards
@clement_garin The article you have mentioned is not about that the vulnerabilities should be light-heartly ignored, just citing:
As any security professional will tell you, development dependencies actually are an attack vector, and perhaps one of the most dangerous ones because it’s so hard to detect and the code runs with high trust assumptions. This is why the situation is so bad in particular: any real issue gets buried below dozens of non-issues that
npm auditis training people and maintainers to ignore. It’s only a matter of time until this happens.
Especially when Atlassian itself demands Forge developers to do security audits, see Removal of Dependency Deprecation Warnings in Forge CLI - #5 by OndejMedek