GitHub user amoeba closed the discussion with a comment: Dependency vulnerability
Hi @develyan, thanks for the report. This looks like it has been resolved upstream and is no longer an issue, see that newer versions of command-line-usage and its dependents are brought in: ```sh ❯ npm ls --all test-package@1.0.0 /work/test-package └─┬ apache-arrow@20.0.0 ├─┬ @swc/helpers@0.5.17 │ └── tslib@2.8.1 deduped ├── @types/command-line-args@5.2.3 ├── @types/command-line-usage@5.0.4 ├─┬ @types/node@20.19.1 │ └── undici-types@6.21.0 ├─┬ command-line-args@6.0.1 │ ├── UNMET OPTIONAL DEPENDENCY @75lb/nature@latest │ ├── array-back@6.2.2 │ ├─┬ find-replace@5.0.2 │ │ └── UNMET OPTIONAL DEPENDENCY @75lb/nature@latest │ ├── lodash.camelcase@4.3.0 │ └── typical@7.3.0 ├─┬ command-line-usage@7.0.3 │ ├── array-back@6.2.2 deduped │ ├─┬ chalk-template@0.4.0 │ │ └─┬ chalk@4.1.2 │ │ ├─┬ ansi-styles@4.3.0 │ │ │ └─┬ color-convert@2.0.1 │ │ │ └── color-name@1.1.4 │ │ └─┬ supports-color@7.2.0 │ │ └── has-flag@4.0.0 │ ├─┬ table-layout@4.1.1 │ │ ├── array-back@6.2.2 deduped │ │ └── wordwrapjs@5.1.0 │ └── typical@7.3.0 deduped ├── flatbuffers@25.2.10 ├── json-bignum@0.0.3 └── tslib@2.8.1 ``` A few other notes: - If you do have a provably exploitable software vulnerability to disclose, in the future you can follow the ASF reporting process for private disclosure at https://www.apache.org/security/ - This vulnerability was only in a command line interface which makes it much less of a problem - The Arrow JavaScript implementation has moved to https://github.com/apache/arrow-js and you can file [issues](https://github.com/apache/arrow-js/issues) or [discussions](https://github.com/apache/arrow-js/discussions) there in the future I'm going to close this discussion but please feel free to let me know if you think I've missed something here. GitHub link: https://github.com/apache/arrow/discussions/46826#discussioncomment-13487026 ---- This is an automatically sent email for user@arrow.apache.org. To unsubscribe, please send an email to: user-unsubscr...@arrow.apache.org
