Update Vulnerable Dependency in npm-check

Question

Update Vulnerable Dependency in npm-check

CaiCharles01 opened this issue 7 months ago · 4 comments

Description:
The current version of the npm-check package used in RushStack has a dependency on got@9.6.0, which is vulnerable (CVE-2022-33987). The last release of npm-check is on July 17, 2022, and it seems to be out of maintenance. However, got has already fixed the vulnerability in newer releases.

Affected Package:

Package Name: npm-check
Version: 6.0.1

Vulnerable Dependency:

Package Name: got
Vulnerable Version: 9.6.0
CVE-2022-33987

Proposed Action:

Check if there is a plan to update the npm-check package to a newer version that no longer depends on the vulnerable got@9.6.0.
If an update is not planned, consider replacing npm-check with an alternative package or finding a way to mitigate the vulnerability.

Environment Details:

RushStack version: latest

Answer 1 · 2023-11-15T19:17:22.000Z

npm-check pulls in a huge set of dependencies. We should 1) move this to a Rush plugin and 2) figure out if there's a way to do what npm-check does with either a small set of other dependencies or with another tool.

Assigning @TheLarkInn.