Update Vulnerable Dependency in npm-check
CaiCharles01 opened this issue · 4 comments
CaiCharles01 commented
Description:
The current version of the npm-check
package used in RushStack has a dependency on got@9.6.0
, which is vulnerable (CVE-2022-33987). The last release of npm-check
is on July 17, 2022, and it seems to be out of maintenance. However, got
has already fixed the vulnerability in newer releases.
Affected Package:
- Package Name: npm-check
- Version: 6.0.1
Vulnerable Dependency:
- Package Name: got
- Vulnerable Version: 9.6.0
- CVE-2022-33987
Proposed Action:
- Check if there is a plan to update the
npm-check
package to a newer version that no longer depends on the vulnerablegot@9.6.0
. - If an update is not planned, consider replacing
npm-check
with an alternative package or finding a way to mitigate the vulnerability.
Environment Details:
- RushStack version: latest
iclanton commented
npm-check
pulls in a huge set of dependencies. We should 1) move this to a Rush plugin and 2) figure out if there's a way to do what npm-check
does with either a small set of other dependencies or with another tool.
Assigning @TheLarkInn.