[CVEs] Critical and High CEVs reported on @Salesforce/CLI and @Salesforce/CLI dependencies

[eugenepugach]

Affects @Salesforce/CLI Version:
2.21.7

Description:
Hello @Salesforce/CLI team. We scanned @Salesforce/CLI source code with Snyk and another system it reported critical and high CVEs.
Also this vulnerabilities block deployment and creating Docker image and another servers:

Vulnerable Library: ⚠️ ejs 3.1.8, 3.1.9 (/home/node/app/node_modules/@salesforce/cli/node_modules/ejs/package.json)

Severity:
🚫 CRITICAL
CVE-2023-29827

---

Vulnerable Library: ⚠️ ejs 3.1.8 (/home/node/app/node_modules/@salesforce/cli/node_modules/ejs/package.json)

Severity:
🚫 CRITICAL
VULNDB-320093

---

Vulnerable Library: ⚠️ proxy-agent (/home/node/app/node_modules/@salesforce/cli/node_modules/proxy-agent/package.json)

Severity:
🚫 CRITICAL
VULNDB-326165

---

Vulnerable Library: ⚠️ websocket-extensions 0.1.1 (/home/node/app/node_modules/@salesforce/cli/node_modules/websocket-extensions/package.json )

Severity:
🚫 HIGH
VULNDB-231008

Fixed Version:
♻️ websocket-extensions - 0.1.5

---

Vulnerable Library: ⚠️ websocket-extensions (/home/node/app/node_modules/@salesforce/cli/node_modules/websocket-extensions/package.json )

Severity:
🚫 HIGH
CVE-2020-7663

---

Vulnerable Library: ⚠️ import-in-the-middle 1.3.5 (/home/node/app/node_modules/@salesforce/cli/node_modules/import-in-the-middle/package.json )

Severity:
🚫 HIGH
CVE-2023-38704

---

Vulnerable Library: ⚠️ opentelemetry/instrumentation 0.40.0

Severity:
🚫 HIGH
CVE-2023-38704

Fixed Version:
♻️ opentelemetry/instrumentation 0.41.2

---

Vulnerable Library: ⚠️ semver 7.3.7, 7.5.1, 5.7.1, 6.3.0 (a lot of cli dependent packages)

Severity:
🚫 HIGH
CVE-2022-25883

---

Vulnerable Library: ⚠️ cli-table 0.3.11

Severity:
🚫 HIGH
CVE-2022-25883

---

Vulnerable Library: ⚠️ [email protected]

Severity:
🚫 HIGH
CVE-2021-23337

---

Vulnerable Library: ⚠️ [email protected]

Severity:
🚫 MEDIUM
CVSS 6.2

---

Vulnerable Library: ⚠️ clone 2.1.2

Severity:
🚫 MEDIUM
CVE-2023-3977

---

Vulnerable Library: ⚠️ clone 2.1.2

Severity:
🚫 MEDIUM
CVE-2023-0958

---

Vulnerable Library: ⚠️ yarn 1.22.19

Severity:
🚫 MEDIUM
VULNDB-204264

---

[github-actions]

Hello @eugenepugach 👋 It looks like you didn't include the full Salesforce CLI version information in your issue.
Please provide the output of version --verbose --json for the CLI you're using (sf or sfdx).

A few more things to check:

• Make sure you've provided detailed steps to reproduce your issue.
  • A repository that clearly demonstrates the bug is ideal.
• Make sure you've installed the latest version of Salesforce CLI. (docs)
  • Better yet, try the rc or nightly versions. (docs)
• Try running the doctor command to diagnose common issues.
• Search GitHub for existing related issues.

Thank you!

[github-actions]

Thank you for filing this issue. We appreciate your feedback and will review the issue as soon as possible. Remember, however, that GitHub isn't a mechanism for receiving support under any agreement or SLA. If you require immediate assistance, contact Salesforce Customer Support.

[mdonnalley]

Thanks @eugenepugach. Many of these aren't actionable for us - for instance, ejs disputes the validity of the vulnerability, which means that they likely won't patch it. Also, many of the vulnerabilities don't apply in the context of a CLI. Again using ejs as an example, our CLI is not vulnerable to server-side template injection.

But we'll continue to bump dependencies as patches become available.