Security Advisory: Forge CLI NPM dependencies

Dear Marketplace Developer Community,

We are aware of recent reports regarding the compromise of several NPM packages targeting cryptocurrency wallets.

Our security team has investigated this matter and identified that two vulnerable packages - strip-ansi and wrap-ansi - were present in the dependency tree for our Forge CLI.

We found that Forge CLI does not directly depend on the affected versions. However, they may have been introduced through secondary dependencies if Forge CLI was installed during the vulnerable period.

It is important to note that the current known exploit path relies on a browser environment. While Forge CLI does not run in a browser, to eliminate the potential risk of exploit, we strongly recommend that all Forge CLI users uninstall and re-install Forge CLI using the following commands:

npm uninstall -g @forge/cli
npm install -g @forge/cli@latest

The security and protection of our customer’s data is our top priority. We thank you for your cooperation.

Thanks for this update about these packages. I was curious after seen this in a Youtube video last week.

It would be great of also Cloud related Security Advisories would be published here: Security at Atlassian: Vulnerabilities | Atlassian

Hi @David5 ,

Thanks for the heads up.

Can Atlassian also take care of the rest of the security vulnerabilities in forge-cli? This is a recurring issue where vulnerabilities are NOT addressed, see e.g.