Hello
I'm getting an error today in my pipeline that runs npm audit -prod
luxon 2.0.0 - 2.5.1
Severity: high
Luxon Inefficient Regular Expression Complexity vulnerability - https://github.com/advisories/GHSA-3xq5-wjfh-ppjc
fix available via `npm audit fix --force`
Will install @ArcGIS/core@4.25.5, which is outside the stated dependency range
node_modules/luxon
@ArcGIS/core 4.21.0-next.20210721 - 4.25.0-next.20221108
Depends on vulnerable versions of luxon
node_modules/@arcgis/core
All version of ArcGis are using luxon versions that have this vulnerability. In git hub for luxon it says to update to newer versions
https://github.com/advisories/GHSA-3xq5-wjfh-ppjc
Is ArcGis going to release an update soon? if not i cannot release my app since i'm not allowed to deploy high severity vulnerabilities.
Is there a work around while you work on an upgrade?
Thank you
Fabian
Solved! Go to Solution.
Response from ESRI support
Hello Fabian,
I did receive a response from Esri inc. and this issue has already been resolved in the next release. When the next release comes out you will just need to upgrade. The next release has been updated to 3.2.1.
The next release of the JavaScript SDK is scheduled for late February or early march of 2023.
Let me know if you have any further questions.
Thank you,
Victor C.
Esri Canada
Also encountering this issue
Same issue here.
Any traction on this from esri yet?
4.26 does not depend on version(s) of the Luxon module affected by CVE-2023-22467.
You can validate this by installing the 4.26 release using the following command:
npm install @ArcGIS/core@next
I am still in development so I will wait for the official release.
Response from ESRI support
Hello Fabian,
I did receive a response from Esri inc. and this issue has already been resolved in the next release. When the next release comes out you will just need to upgrade. The next release has been updated to 3.2.1.
The next release of the JavaScript SDK is scheduled for late February or early march of 2023.
Let me know if you have any further questions.
Thank you,
Victor C.
Esri Canada
Just installed 4.26.5. This issue has been resolved