GitHub user amoeba closed the discussion with a comment: Dependency vulnerability
Hi @develyan, thanks for the report. This looks like it has been resolved upstream and is no longer an issue, see that newer versions of command-line-usage and its dependents are brought in: ```sh ❯ npm ls --all [email protected] /work/test-package └─┬ [email protected] ├─┬ @swc/[email protected] │ └── [email protected] deduped ├── @types/[email protected] ├── @types/[email protected] ├─┬ @types/[email protected] │ └── [email protected] ├─┬ [email protected] │ ├── UNMET OPTIONAL DEPENDENCY @75lb/nature@latest │ ├── [email protected] │ ├─┬ [email protected] │ │ └── UNMET OPTIONAL DEPENDENCY @75lb/nature@latest │ ├── [email protected] │ └── [email protected] ├─┬ [email protected] │ ├── [email protected] deduped │ ├─┬ [email protected] │ │ └─┬ [email protected] │ │ ├─┬ [email protected] │ │ │ └─┬ [email protected] │ │ │ └── [email protected] │ │ └─┬ [email protected] │ │ └── [email protected] │ ├─┬ [email protected] │ │ ├── [email protected] deduped │ │ └── [email protected] │ └── [email protected] deduped ├── [email protected] ├── [email protected] └── [email protected] ``` A few other notes: - If you do have a provably exploitable software vulnerability to disclose, in the future you can follow the ASF reporting process for private disclosure at https://www.apache.org/security/ - This vulnerability was only in a command line interface which makes it much less of a problem - The Arrow JavaScript implementation has moved to https://github.com/apache/arrow-js and you can file [issues](https://github.com/apache/arrow-js/issues) or [discussions](https://github.com/apache/arrow-js/discussions) there in the future I'm going to close this discussion but please feel free to let me know if you think I've missed something here. GitHub link: https://github.com/apache/arrow/discussions/46826#discussioncomment-13487026 ---- This is an automatically sent email for [email protected]. To unsubscribe, please send an email to: [email protected]
