Forest dependencies are vulnerable

Feature(s) impacted


We are currently utilizing Snyk to scan our project dependencies for vulnerabilities. Upon reviewing the results, we have identified a significant number of vulnerabilities in the forest package.json. This is causing issues with our clients, as they require a screenshot of the package dependencies scan.

Observed behavior

We have noticed multiple vulnerabilities originating from the forest package.json.

Expected behavior

Our expectation is to have all dependencies updated to address the identified vulnerabilities.

Failure Logs


  • Project name: Supermonday
  • Team name:
  • Environment name: Production, Staging
  • Database type: PostgreSQL

Hi Iliyas,

Thank you for your feedback.
Vulnerabilities scanning is something we do on a weekly basis.

Can you share with us the packages that present the vulnerabilities you observed?

For your information, recent vulnerabilities have been discovered on some of our agents dependencies but remain unpatched so far, we’re still waiting to upgrade these dependencies to remove the vulnerabilities.

Thanks for your help

We can see that dependencies patches have been released, and so will be applied to our agents by the end of the week.

Thank you for your reply, here is some of the packages that are containing vulnerabilities (you can see that there is 6 High vulnerability)

All High vulnerabilities are coming from forest-cli@5.0.0 and pg@8.2.2

forest-cli@5.0.3 does not contain high vulnerabilities according to GitHub security and npm audit.
You should definitely upgrade to this patch version.

The 4 remaining moderate vulnerabilities on forest-cli need much more work to tackle them. We already target a resolution by the end of Q1 2024.

About pg, it is not a package maintained by Forest Admin, you should consider an upgrade.
The latest version is 8.11.3 (more details here).

Whatever the upgrade, always be careful and test your admin backend with the upgraded dependencies in test environments before releasing to production :pray:

1 Like