Latest version of cli is pulling in insecure packages that have available patches

[G-Rath]

Describe the bug

npm/cli#7356 - the use of a shrinkwrap means that even though there are available patches for these vulnerabilities, we're not able to install them.

Current vulnerabilities:

• follow-redirects v1.15.1 (chore(deps): bump follow-redirects from 1.15.1 to 1.15.6 #6446)
  • GHSA-cxjh-pqwp-8mfp
  • GHSA-jchw-25xp-jwwc
• tar v6.1.15 (chore(deps): bump tar from 6.1.15 to 6.2.1 #6504)
  • GHSA-f5x3-32g6-xq36
• word-wrap v1.2.3 (chore(deps): bump word-wrap from 1.2.3 to 1.2.5 #5895)
  • GHSA-j8xg-fqg3-53r7

`npm audit` output as of 2024-04-23

❯ npm audit
# npm audit report

follow-redirects  <=1.15.5
Severity: moderate
Follow Redirects improperly handles URLs in the url.parse() function - https://github.com/advisories/GHSA-jchw-25xp-jwwc
follow-redirects' Proxy-Authorization header kept across hosts - https://github.com/advisories/GHSA-cxjh-pqwp-8mfp
fix available via `npm audit fix`
node_modules/netlify-cli/node_modules/follow-redirects

tar  <6.2.1
Severity: moderate
Denial of service while parsing a tar file due to lack of folders count validation - https://github.com/advisories/GHSA-f5x3-32g6-xq36
fix available via `npm audit fix`
node_modules/netlify-cli/node_modules/tar

word-wrap  <1.2.4
Severity: moderate
word-wrap vulnerable to Regular Expression Denial of Service - https://github.com/advisories/GHSA-j8xg-fqg3-53r7
fix available via `npm audit fix`
node_modules/netlify-cli/node_modules/word-wrap

3 moderate severity vulnerabilities

To address all issues, run:
  npm audit fix

Steps to reproduce

1. Install cli locally (npm install netlify-cli)
2. Run npm audit

Configuration

No response

Environment

Does not matter

[G-Rath]

Now there's a vulnerability in tar to update too: #6504

[G-Rath]

@sarahetter thanks for the quick turnaround on getting word-wrap updated! To help, I've updated the description of this issue with the current vulnerabilities along with their dependabot PRs that'll address them - let me know if there's anything else I can do to make it easier to get these addressed

[G-Rath]

@sarahetter thanks for such a fast turn around - I've confirmed that the latest version of netlify-cli is no longer pulling in vulnerabilities:

workspace/projects-scrap/net is 📦 v1.0.0 via  v20.11.0
❯ npm outdated
Package      Current   Wanted   Latest  Location                  Depended by
netlify-cli  17.22.1  17.23.0  17.23.0  node_modules/netlify-cli  net

workspace/projects-scrap/net is 📦 v1.0.0 via  v20.11.0 took 2s
❯ npm update netlify-cli

added 37 packages, removed 5 packages, and changed 83 packages in 11s

workspace/projects-scrap/net is 📦 v1.0.0 via  v20.11.0 took 10s
❯ npm audit
found 0 vulnerabilities

workspace/projects-scrap/net is 📦 v1.0.0 via  v20.11.0
❯ osv-detector-t .
Loaded the following OSV databases:
  npm (14443 vulnerabilities, including withdrawn - last updated Thu, 25 Apr 2024 22:49:44 GMT)

package-lock.json: found 1134 packages
  Using db npm (14443 vulnerabilities, including withdrawn - last updated Thu, 25 Apr 2024 22:49:44 GMT)

  no known vulnerabilities found

I assume you're happy for me to open a new issue with a similar format in future if new vulnerabilities come up, but let me know if there's another format you'd prefer 🙂

[sarahetter]

@G-Rath we've set up better tooling for us to notice these as they come up, thank you!