[Security Vulnerabilities ] High severity vulnerability exists in Heroku CLI (heroku/9.2.1 linux-x64 node-v16.20.2)

[debabrata-shome]

This project is for the Heroku CLI only and issues are reviewed as we are able. If you need more immediate assistance or help with anything not specific to the CLI itself, please use https://help.heroku.com.

Do you want to request a feature or report a bug?

I am trying to report a High-severity (P0) security bug that is present in Heroku CLI due to dependent libraries

• npm:plist
• npm:ip
• npm:ejs
• npm:exca

Version Details : heroku/9.2.1 linux-x64 node-v16.20.2

What is the current behavior?

If the current behavior is a bug, please provide the steps to reproduce.

• https://cwe.mitre.org/data/definitions/1321.html
• https://cwe.mitre.org/data/definitions/78.html
• https://cwe.mitre.org/data/definitions/74.html
• https://cwe.mitre.org/data/definitions/918.html

More details on CVEs

• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-29827
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-42282
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-39353
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-37616

What is the expected behavior?

Please update the third party library to remediate the vulnerabilities from Heroku CLI

[sbosio]

Hi @debabrata-shome, we're working on our upcoming release for Heroku CLI v10 that will drop support for Node 16 and will allow us to upgrade some blocked dependencies and get rid of all of these vulnerabilities.

We'll let you know when our next major version release is out and close this report.

Best!

[eablack]

Hi,

I'm going to close this issue for now as we have since gone to CLI v10 and resolved many security vulnerabilities, including, I think, these. Please feel free to resubmit. The format of this issue could be improved by specifying which versions of the packages have which vulnerabilities. If it's possible to include that info in the future, please do so.