Address CVE-2022-37614

Question

Address CVE-2022-37614

joshftb opened this issue 2 years ago · 3 comments

Please check our current Issues to see if someone already reported this https://github.com/Microsoft/azure-pipelines-task-lib/issues

Environment

azure-pipelines-task-lib version: 3.3.1

Issue Description

There is a prototype pollution bug in mockery, a prod dependency
package.json here

Steps to reproduce

Run Component Governance on the pipeline

Logs

n/a

Answer 1 · 2023-01-13T13:54:59.000Z

How as this closed?
The latest version is vulnerable.
mfncooper/mockery appears to be an unmaintained package that hasn't been updated since 2017 or closed pull requests since 2018.
The code is fairly short.
Perhaps this repo should copy it or import a different package.

@Roman-Shchukin @joshftb Please reopen.

Answer 2 · 2023-04-04T19:05:22.000Z

Please re-open as latest version of mockery (2.1.0) is also flagged with CVE-2022-37614

Answer 3 · 2023-07-31T23:02:20.000Z

The Security team of one of our customers is reporting this vulnerability to us and are demanding to provide a fix for it. Is the a work around to remove this mockery library somehow?