npm audit reports critical vulnerability when @openzeppelin/cli is installed

[shark0der]

I've skimmed through the source, I wouldn't say you're affected but you'd probably want to remove the dependency and implement those functions yourself

Advisory: https://npmjs.com/advisories/1507

Usages

1. openzeppelin-sdk/packages/cli/src/models/dependency/Dependency.ts

   Line 58 in c682342

   await npm.install([nameAndVersion], { save: true, cwd: process.cwd() });

2. openzeppelin-sdk/packages/cli/src/models/config/TruffleConfig.ts

   Line 54 in 578e4f2

   const packagesList = await npm.list(path);

Looking at the dependency itself, I'd suggest implementing exec commands in your sdk and getting rid of the dep as it doesn't seem to be actively maintained.

Dep source: https://github.com/Manak/npm-programmatic/blob/master/index.js

Initially reported on Telegram: https://t.me/zeppelinos/12443

[abcoathup]

Hi @shark0der!

Thanks so much for reporting it! The project owner will review and triage this issue during the next week.

[frangio]

Thanks for reporting @shark0der. I looked into this and I don't think it's a vulnerability for OpenZeppelin CLI users, because the places where there could be command injection in the user's machine are controlled by the user.

[shark0der]

Hi @frangio! Indeed, like I said before, it doesn't seem like there's an impact (unless of course there are specific scenarios for some users), however, having npm audit report a critical vulnerability after the installation doesn't look pretty and might scare some users. That being said, fixing this doesn't need a very high priority but it would be nice to have it fixed sooner than later.