pnpm audit reports high severity vulnerabilities in transitive dependencies
Running pnpm audit reveals multiple vulnerabilities coming from transitive dependencies used by @trigger.dev/core, specifically via @opentelemetry/host-metrics.
High severity issues (systeminformation)
All high severity issues originate from the systeminformation package:
-
Command Injection in fsSize() (Windows only)
Affects: <5.27.14
Fixed in: >=5.27.14
Advisory: GHSA-wphj-fx3q-84ch
-
Command Injection via unsanitized locate output in versions()
Affects: <=5.30.7
Fixed in: >=5.31.0
Advisory: GHSA-5vv4-hvf7-2h46
-
Command Injection via unsanitized interface parameter in wifi.js retry path
Affects: <5.30.8
Fixed in: >=5.30.8
Advisory: GHSA-9c88-49p5-5ggf
Dependency path:
@trigger.dev/build
└─ @trigger.dev/core
└─ @opentelemetry/host-metrics
└─ systeminformation
All issues are resolved in systeminformation >= 5.31.0, so upgrading to at least this version should address all high severity findings.
pnpm auditreports high severity vulnerabilities in transitive dependenciesRunning
pnpm auditreveals multiple vulnerabilities coming from transitive dependencies used by@trigger.dev/core, specifically via@opentelemetry/host-metrics.High severity issues (
systeminformation)All high severity issues originate from the
systeminformationpackage:Command Injection in
fsSize()(Windows only)Affects:
<5.27.14Fixed in:
>=5.27.14Advisory: GHSA-wphj-fx3q-84ch
Command Injection via unsanitized
locateoutput inversions()Affects:
<=5.30.7Fixed in:
>=5.31.0Advisory: GHSA-5vv4-hvf7-2h46
Command Injection via unsanitized interface parameter in
wifi.jsretry pathAffects:
<5.30.8Fixed in:
>=5.30.8Advisory: GHSA-9c88-49p5-5ggf
Dependency path:
All issues are resolved in
systeminformation >= 5.31.0, so upgrading to at least this version should address all high severity findings.