We are currently utilizing Snyk to scan our project dependencies for vulnerabilities. Upon reviewing the results, we have identified a significant number of vulnerabilities in the forest package.json. This is causing issues with our clients, as they require a screenshot of the package dependencies scan.
Observed behavior
We have noticed multiple vulnerabilities originating from the forest package.json.
Expected behavior
Our expectation is to have all dependencies updated to address the identified vulnerabilities.
Thank you for your feedback.
Vulnerabilities scanning is something we do on a weekly basis.
Can you share with us the packages that present the vulnerabilities you observed?
For your information, recent vulnerabilities have been discovered on some of our agents dependencies but remain unpatched so far, we’re still waiting to upgrade these dependencies to remove the vulnerabilities.
forest-cli@5.0.3 does not contain high vulnerabilities according to GitHub security and npm audit.
You should definitely upgrade to this patch version.
The 4 remaining moderate vulnerabilities on forest-cli need much more work to tackle them. We already target a resolution by the end of Q1 2024.
About pg, it is not a package maintained by Forest Admin, you should consider an upgrade.
The latest version is 8.11.3 (more details here).
Whatever the upgrade, always be careful and test your admin backend with the upgraded dependencies in test environments before releasing to production