Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Dependencies have security vulnerabilities #2774

Closed
hungrypipo opened this issue Mar 14, 2024 · 4 comments
Closed

Dependencies have security vulnerabilities #2774

hungrypipo opened this issue Mar 14, 2024 · 4 comments
Labels
more information required Issue requires more information or a response from the customer

Comments

@hungrypipo
Copy link

For @salesforce/cli even the latest 2.34 version

Just one example, the ip module used 2.0.0 has a vulnerability that can be fixed by a higher version

https://security.snyk.io/vuln/SNYK-JS-IP-6240864

From npm-shrinkwrap.json:

"node_modules/npm/node_modules/ip": {
"version": "2.0.0",
"inBundle": true,
"license": "MIT"
},

The other one that has a fix
https://security.snyk.io/vuln/SNYK-JS-SERIALIZEJAVASCRIPT-6147607
@hungrypipo hungrypipo added the investigating We're actively investigating this issue label Mar 14, 2024
@github-actions GitHub Actions
Copy link

Thank you for filing this issue. We appreciate your feedback and will review the issue as soon as possible. Remember, however, that GitHub isn't a mechanism for receiving support under any agreement or SLA. If you require immediate assistance, contact Salesforce Customer Support.

@github-actions GitHub Actions
Copy link

Hello @hungrypipo 👋 It looks like you didn't include the full Salesforce CLI version information in your issue.
Please provide the output of version --verbose --json for the CLI you're using (sf or sfdx).

A few more things to check:

  • Make sure you've provided detailed steps to reproduce your issue.
    • A repository that clearly demonstrates the bug is ideal.
  • Make sure you've installed the latest version of Salesforce CLI. (docs)
    • Better yet, try the rc or nightly versions. (docs)
  • Try running the doctor command to diagnose common issues.
  • Search GitHub for existing related issues.

Thank you!

@github-actions github-actions bot added more information required Issue requires more information or a response from the customer and removed investigating We're actively investigating this issue labels Mar 14, 2024
@shetzel
Copy link
Contributor

shetzel commented Mar 14, 2024

The many repos involved with building the Salesforce CLI have dependabot running weekly to keep everything as up to date as possible. The ip module you referenced is currently at 2.0.0 and there is a recent patch release (2.0.1). This dependency comes from a nested dep within @oclif/plugin-plugins so it would need to be bumped there and then the version of plugin-plugins bumped within the CLI. I don't see serialize-javascript in use at all by the CLI. But also, just because snyk reports a vulnerability doesn't mean it's a bug or vulnerability in a CLI environment (i.e., running locally on a machine). How the library is being used is an important factor that tools like snyk don't consider. Regardless, I'll look at the dependencies of @oclif/plugin-plugins but unless there's a bug involved with the CLI this is low priority and should eventually be handled by our dependabot update process.

@shetzel
Copy link
Contributor

shetzel commented Mar 14, 2024

Will eventually be fixed with oclif/plugin-plugins#821

@shetzel shetzel closed this as completed Mar 14, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
more information required Issue requires more information or a response from the customer
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@shetzel @hungrypipo