Packages with vulnerability

[t1gu1]

Describe the issue that you're seeing. Any Loom videos or screenshots usually help a lot!

Some package contain vulnerabilities.

Reproduction

localhost

Steps to reproduce

• npm install
• npm audit

System Info

- Mac OS
- Node ➜ v18.16.0
- Node ➜ 9.5.1
- tinacms ➜ 1.6.0
- tinacms/cli ➜ 1.5.42

Validations

• Follow our Code of Conduct
• Read the docs.
• Check that there isn't already an issue that reports the same bug.

[exofoliohq]

I see the same on my end with :

- Windows 11
- Node ➜ v20.12.0
- tinacms ➜ 1.6.1
- tinacms/cli ➜ 1.5.43

Terminal output :

# npm audit report

axios  0.8.1 - 0.27.2
Severity: moderate
Axios Cross-Site Request Forgery Vulnerability - https://github.com/advisories/GHSA-wf5p-g6vw-rhxx
No fix available
node_modules/axios
  @tinacms/cli  *
  Depends on vulnerable versions of @tinacms/app
  Depends on vulnerable versions of axios
  Depends on vulnerable versions of tinacms
  node_modules/@tinacms/cli

lodash.set  *
Severity: high
Prototype Pollution in lodash - https://github.com/advisories/GHSA-p6mc-m468-83gw
No fix available
node_modules/lodash.set
  tinacms  <=0.0.0-20240328200248 || 0.4.0-dev.0 || >=0.50.0
  Depends on vulnerable versions of lodash.set
  node_modules/tinacms
    @tinacms/app  <=0.0.22 || >=1.2.0
    Depends on vulnerable versions of tinacms
    node_modules/@tinacms/app

5 vulnerabilities (1 moderate, 4 high)

Some issues need review, and may require choosing
a different dependency.

May bumping up these dependencies be simple, straightforward and break nothing 🤞

[ncn-ssw]

Parked in Sprint 3 due to onboarding issues