What is the impact of these Vulnerabilities reported on a security scan of the node_modules folder when you install the latest npm package azure-pipelines-task-lib? #157370

Manikya-Sarashetty · 2025-04-22T12:22:04Z

Manikya-Sarashetty
Apr 22, 2025

A security scan of the node_modules folder generated during the install of latest [email protected] package resulted for these vulnerabilities for three packages(inflight,wrappy,sevenzip).How do we resolve this and is there any impact of these packages.

candaesCedric · 2025-04-25T11:10:36Z

candaesCedric
Apr 25, 2025

Hello,

[email protected] does not use 7-zip. If you see it in your scan, it probably comes from another package, If you don’t need it, you should remove it.
The vulnerabilities in 7-zip (CVE-2024-11477, CVE-2022-29072, CVE-2023-31102) are serious — they allow things like running code or memory issues when handling with untrusted files.

For inflight and wrappy, these are old packages (not maintained for 8 and 4 years) that are pulled by other modules like glob. The CVE here (CVE-2016-3956) is not that big of a problem unless you allow third-party scripts code execution.
Specifically:
wrappy comes from inflight, which comes from glob, which comes from shell.js, and finally, azure-pipelines-task-lib.

If you’re the only one using your project and not exposing it to other users or code, it should be fine.
Running npm audit fix may help. (it should update 7-zip and do nothing for wrappy/inflight since they are not maintained)

also, I guessed it was 7-zip and not sevenzip (beacause of the cve) you can check were it cames from the package.json if you directly imported it yourself (in the dependencies section) or in the package-lock.json if imported by other package (still in dependencies section but from a package this time)

TLDR:
7-zip: If you don’t use it, remove it. It’s a real security risk. or you can also just update 7-zip to the last version.
Check where it come from in your project. You can check the package.json if you imported it directly, or in the package-lock.json if it was imported by another package.

inflight/wrappy: Low risk if you're the only one interacting with the project. I don't know the importance of shelljs for azure-pipelines-task-lib

0 replies

Manikya-Sarashetty · 2025-04-30T05:29:41Z

Manikya-Sarashetty
Apr 30, 2025
Author

Thank you for the reply however I am developing a custom Azure DevOps Extension and need to use the azure-pipelines-task-lib package. However, installing this package also brings in inflight and wrappy as direct dependencies, which are flagged as vulnerabilities during a security scan. Is there a way to avoid these direct dependencies, or will this issue be addressed in future updates of the azure-pipelines-task-lib package?

0 replies

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

GitHub Community

What is the impact of these Vulnerabilities reported on a security scan of the node_modules folder when you install the latest npm package azure-pipelines-task-lib? #157370

Uh oh!

{{title}}

Uh oh!

Replies: 2 comments

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{editor}}'s edit

{{editor}}'s edit

Uh oh!

Select a reply

Uh oh!

GitHub Community

What is the impact of these Vulnerabilities reported on a security scan of the node_modules folder when you install the latest npm package azure-pipelines-task-lib? #157370

Uh oh!

Manikya-Sarashetty Apr 22, 2025

Replies: 2 comments

Uh oh!

candaesCedric Apr 25, 2025

Uh oh!

Uh oh!

Manikya-Sarashetty Apr 30, 2025 Author

Manikya-Sarashetty
Apr 22, 2025

candaesCedric
Apr 25, 2025

Manikya-Sarashetty
Apr 30, 2025
Author