Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Address CVE-2022-37614 #874

Closed
joshftb opened this issue Oct 25, 2022 · 3 comments
Closed

Address CVE-2022-37614 #874

joshftb opened this issue Oct 25, 2022 · 3 comments
Assignees
@Roman-Shchukin
Labels
Area: TaskLib enhancement

Comments

@joshftb
Copy link

joshftb commented Oct 25, 2022
edited
Loading

Please check our current Issues to see if someone already reported this https://github.com/Microsoft/azure-pipelines-task-lib/issues

Environment

azure-pipelines-task-lib version: 3.3.1

Issue Description

There is a prototype pollution bug in mockery, a prod dependency
package.json here

Steps to reproduce

Run Component Governance on the pipeline

Logs

n/a
@katydecorah katydecorah mentioned this issue Oct 26, 2022
Merged
2 tasks
@Roman-Shchukin Roman-Shchukin self-assigned this Oct 27, 2022
This was referenced Oct 27, 2022
Merged
Merged
@lmmarsano
Copy link

lmmarsano commented Jan 13, 2023
edited
Loading

How as this closed?
The latest version is vulnerable.
mfncooper/mockery appears to be an unmaintained package that hasn't been updated since 2017 or closed pull requests since 2018.
The code is fairly short.
Perhaps this repo should copy it or import a different package.

@Roman-Shchukin @joshftb Please reopen.

@saurabh-humana
Copy link

Please re-open as latest version of mockery (2.1.0) is also flagged with CVE-2022-37614

@maksimu
Copy link

maksimu commented Jul 31, 2023

The Security team of one of our customers is reporting this vulnerability to us and are demanding to provide a fix for it. Is the a work around to remove this mockery library somehow?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@Roman-Shchukin Roman-Shchukin

Labels
Area: TaskLib enhancement
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@maksimu @lmmarsano @saurabh-humana @joshftb @Roman-Shchukin