Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

security issue: @microsoft/teamsfx-cli depends on adal-node which depends on xmldom version with security vulnerability #6485

Closed
JensMadsen opened this issue Oct 25, 2022 · 3 comments
Closed

security issue: @microsoft/teamsfx-cli depends on adal-node which depends on xmldom version with security vulnerability #6485

JensMadsen opened this issue Oct 25, 2022 · 3 comments
Assignees
@Alive-Fish
Labels
investigating TA:E2E Team Area: E2E

Comments

@JensMadsen
Copy link

see: Azure/ms-rest-nodeauth#146 (comment)
@ghost
Copy link

ghost commented Oct 25, 2022

Thank you for contacting us! Any issue or feedback from you is quite important to us. We will do our best to fully respond to your issue as soon as possible. Sometimes additional investigations may be needed, we will usually get back to you within 2 days by adding comments to this issue. Please stay tuned.

@JensMadsen JensMadsen mentioned this issue Oct 25, 2022
Closed
@adashen adashen added investigating TA:E2E Team Area: E2E labels Oct 26, 2022
@MSFT-yiz MSFT-yiz assigned MSFT-yiz and Alive-Fish and unassigned MSFT-yiz Oct 26, 2022
@Alive-Fish
Copy link
Contributor

Hi @JensMadsen, thanks for reporting it. I have checked the package-lock.json in the source code and cannot find the adal-node dependency.

Do you mean the latest published @microsoft/teamsfx-cli? If yes, I will reply to you when the new version has been published.

@JensMadsen
Copy link
Author

Hi @Alive-Fish. You are right. Sorry about the noise. I was told by your colleagues to report it here but it turns out that it is the package that uses an old version see https://github.com/OfficeDev/Office-Addin-Scripts/blob/e9cd6b6456c7b79621e5d4c07206e6cc1ab47df9/packages/office-addin-dev-settings/package.json#L25. Sorry about the noise and sorry for not checking it properly! I close the issue

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@Alive-Fish Alive-Fish

Labels
investigating TA:E2E Team Area: E2E
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@adashen @JensMadsen @Alive-Fish @MSFT-yiz