Dependabot issues when making a project with the CLI as a package.

[SebbeJohansson]

Current behavior:

"Command injection in git-clone" and "Got allows a redirect to a UNIX socket" High and Moderate warnings from dependabot when using storyblok-cli.

Expected behavior:

I expect there to not be any dependabot alerts when using the cli.

Steps to reproduce:

Install the cli in a project.
Upload project to github.
https://github.com/SebbeJohansson/Vrtx.ContentSystem/security/dependabot/9
https://github.com/SebbeJohansson/Vrtx.ContentSystem/security/dependabot/8

Related code:
https://github.com/SebbeJohansson/Vrtx.ContentSystem/

[thiagosaife]

@SebbeJohansson We'll investigate this. Thanks for reporting.

[SebbeJohansson]

Here is how it shows up in my node project:

[jackmaders]

Are there any plans to address these vulnerabilities?

[Welliba-Sven-Barkhahn]

Hello, is there any update on this?

There is also an Axios Cross-Site Request Forgery Vulnerability.
(An issue discovered in Axios 0.8.1 through 1.5.1 inadvertently reveals the confidential XSRF-TOKEN stored in cookies by including it in the HTTP header X-XSRF-TOKEN for every request made to any host allowing attackers to view sensitive information.) It's patched in version 1.6