Heroku CLI security vulnerabilities

[htiwari1986]

What is the current behavior?

I am using the latest Heroku CLI (heroku/10.16.0 linux-x64 node-v20.19.6), which we have baked into our Docker image; however, it is introducing certain vulnerabilities. Below are the details of the affected packages.

Package names with Severity

P0

• pkg:npm/plist@3.0.6

P1

• npm:glob@10.5.0
• npm:diff@7.0.0
• npm:diff@4.0.1

P2

• npm:tmp@0.0.33
• npm:async@2.6.4
• npm:async@3.2.4
• npm:brace-expansion@1.1.11

What is the expected behavior?

Can you please remediate the security vulnerabilities in CLI?

[tlowrimore-heroku]

Thank you for reporting this issue. We are currently assessing these vulnerabilities to determine a next course of action. I'll post updates on my findings, shortly.

[tlowrimore-heroku]

Hi @htiwari1986, when you have a moment, can you share the process by which you discovered these vulnerabilities? Thanks!

[htiwari1986]

Hi @tlowrimore-heroku, We bake heroku-cli in a container image and scan the image using Nexus