Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Vulnerability reported due to optionator v0.9.1 transitive dependency #2499

Closed
1 task
padamstx opened this issue Jul 6, 2023 · 4 comments · Fixed by #2513
Closed
1 task

Vulnerability reported due to optionator v0.9.1 transitive dependency #2499

padamstx opened this issue Jul 6, 2023 · 4 comments · Fixed by #2513
Labels
chore released

Comments

@padamstx
Copy link
Contributor

padamstx commented Jul 6, 2023

Chore summary
The @stoplight/spectral-cli package has an indirect dependency on optionator v0.9.1, which has a vulnerability (CVE-2023-26115) due to its "word-wrap" dependency. Optionator v0.9.3 was recently released which fixes this by using a different "word-wrap" package.

The purpose of this issue is to request that spectral-cli be updated to avoid this CVE.

Tasks

  • Upgrade dependencies so that optionator v0.9.3 is used in order to avoid CVE-2023-26115

Additional context
n/a
@padamstx padamstx added the chore label Jul 6, 2023
@Jokinen
Copy link

Jokinen commented Jul 12, 2023
edited
Loading

In our research, we noticed this kind of a dependency path for word-wrap.

@stoplight/[email protected]
└─┬ [email protected]
  └─┬ [email protected]
    └─┬ [email protected]
      └─┬ [email protected]
        └─┬ [email protected]
          └─┬ [email protected]
            └── [email protected]

@P0lip
Copy link
Contributor

P0lip commented Jul 24, 2023

Should be addressed by #2513 which drops proxy-agent

@P0lip P0lip mentioned this issue Jul 24, 2023
Merged
4 tasks
@padamstx
Copy link
Contributor Author

Thanks for addressing this, @P0lip !

@stoplight-bot
Copy link
Collaborator

🎉 This issue has been resolved in version 6.9.0 🎉

The release is available on npm package (@latest dist-tag)

Your semantic-release bot 📦🚀

@stoplightio stoplightio deleted a comment from stoplight-bot Jul 26, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
chore released
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

feat(cli): use hpagent in favor of proxy-agent stoplightio/spectral
4 participants
@Jokinen @P0lip @padamstx @stoplight-bot