X
Xata3w ago
Cawfehhh

High severity vulnerabilities when installing @xata.io/cli

Hi all, encountered 4 high severity vulnerabilities when I installed the CLI: 
npm install @xata.io/cli

added 200 packages, changed 3 packages, and audited 1808 packages in 14s

267 packages are looking for funding
  run `npm fund` for details

4 high severity vulnerabilities

To address all issues, run:
  npm audit fix

Run `npm audit` for details.
npm install @xata.io/cli

added 200 packages, changed 3 packages, and audited 1808 packages in 14s

267 packages are looking for funding
  run `npm fund` for details

4 high severity vulnerabilities

To address all issues, run:
  npm audit fix

Run `npm audit` for details.
Ran npm audit fix, then it got down to 3: 
npm audit fix

changed 1 package, and audited 1808 packages in 5s

267 packages are looking for funding
  run `npm fund` for details

# npm audit report

lodash.pick  >=4.0.0
Severity: high
Prototype Pollution in lodash - https://github.com/advisories/GHSA-p6mc-m468-83gw
fix available via `npm audit fix --force`
Will install @xata.io/[email protected], which is a breaking change
node_modules/lodash.pick
  @xata.io/importer  >=1.0.0
  Depends on vulnerable versions of lodash.pick
  node_modules/@xata.io/importer
    @xata.io/cli  >=0.13.0
    Depends on vulnerable versions of @xata.io/importer
    node_modules/@xata.io/cli

3 high severity vulnerabilities

To address all issues (including breaking changes), run:
  npm audit fix --force
npm audit fix

changed 1 package, and audited 1808 packages in 5s

267 packages are looking for funding
  run `npm fund` for details

# npm audit report

lodash.pick  >=4.0.0
Severity: high
Prototype Pollution in lodash - https://github.com/advisories/GHSA-p6mc-m468-83gw
fix available via `npm audit fix --force`
Will install @xata.io/[email protected], which is a breaking change
node_modules/lodash.pick
  @xata.io/importer  >=1.0.0
  Depends on vulnerable versions of lodash.pick
  node_modules/@xata.io/importer
    @xata.io/cli  >=0.13.0
    Depends on vulnerable versions of @xata.io/importer
    node_modules/@xata.io/cli

3 high severity vulnerabilities

To address all issues (including breaking changes), run:
  npm audit fix --force
Forced a fix, and it got up to 17 (can't paste the output for some reason). And then tried fixing and force fixing and it goes on in a loop. Should I be worried about the vulnerabilities?

message.txt

2 Replies
cmck
cmck3w ago
Thanks for pointing this out. The vulnerabilities mentioned for lodash are false positives as we don't use the flagged code paths. They can be ignored safely. We're deploying a fix so the false positives won't appear during future installs.
Cawfehhh
Cawfehhh3w ago
awesome. thanks!
Want results from more Discord servers?
Add your server