We’ve just released Forge CLI version 12.2.0 as announced in our changelog. In this release we have upgraded the deprecated dependencies so that when you install the latest version of the CLI you won’t get anymore deprecation warnings.
Feel free to respond to the post if you have any questions related to this release.
Hi @JacobTan , glad that the team has an update addressing the issue! I have upgraded my @forge/cli version to 12.4.0, however, the warning is still presented when I test it locally. I have tried to deploy to development environment as well, but the logs appear in the forge log either…
Hi @JacobTan ,
The new release of forge cli has a couple of vulnerability warnings, as had the last version. Is Atlassian going to fix this, and hopefully check for this before every release?
Example:
# npm audit report
content-security-policy-parser <0.6.0
Severity: high
content-security-policy-parser Prototype Pollution Vulnerability May Lead to RCE - https://github.com/advisories/GHSA-w2cq-g8g3-gm83
fix available via `npm audit fix --force`
Will install @forge/cli@6.4.1, which is a breaking change
node_modules/@forge/cli/node_modules/content-security-policy-parser
@forge/csp *
Depends on vulnerable versions of content-security-policy-parser
node_modules/@forge/cli/node_modules/@forge/csp
@forge/lint <=0.0.0-experimental-fbe27f8 || 1.0.6-next.0 - 3.2.4-next.4 || >=5.7.0-next.0
Depends on vulnerable versions of @forge/csp
node_modules/@forge/cli/node_modules/@forge/lint
@forge/bundler 1.0.6-next.0 - 3.1.0-test.8 || >=4.20.8-next.0
Depends on vulnerable versions of @forge/lint
node_modules/@forge/cli/node_modules/@forge/bundler
@forge/cli <=0.0.0-experimental-a9f00a0 || 1.3.3-next.6 - 5.1.0-next.5 || >=6.4.2-next.1
Depends on vulnerable versions of @forge/bundler
Depends on vulnerable versions of @forge/lint
Depends on vulnerable versions of @forge/tunnel
node_modules/@forge/cli
@forge/tunnel <=0.0.1-next.15 || >=0.6.3-next.0
Depends on vulnerable versions of @forge/bundler
Depends on vulnerable versions of @forge/csp
node_modules/@forge/cli/node_modules/@forge/tunnel
hi, @marc thanks for reporting the issue 
the vulnerability warnings around content-security-policy-parser <0.6.0 should be patched in the latest coming release @forge/cli@^12.11.2 . It should be released after 22nd Dec.
Thanks.
Vulnerabilities again: npm i -D @forge/cli@lates: 23 vulnerabilities (9 low, 4 moderate, 10 high) (@forge/cli version 12.17.0).
Do you guys have some automated audit process?
When submitting a Forge app to the Markeplace, we have to fill a form with Application Security question:
- Did you review the app’s 3rd party dependencies (i.e. open-source or external libraries) for vulnerabilities using automated tools? and, do you plan to keep these dependencies up to date?
So, yes, we keep our dependencies up to date. But cannot publish any Forge app since Atlassian does not update it’s own libraries and tools.