I just update Doje to fix some vulnerabilities issue found by our security scan. This is scan is setup by my company on the Github repository. When I update from 1.10 to 1.17.3, I was able to close some of the vulnerabilities but new ones were raided upon the new version. This is the place where I download the latest version http://download.dojotoolkit.org/release-1.17.3/dojo-release-1.17.3.zip
This is one of the vulnerabilities found on the new version. All others follows the same pattern Path Traversal in decompress Critical Development #104 opened 6 hours ago • Detected in decompress (npm) • Web/WebContent/dojo/dojo/package-lock.json
Proposal fix Versions of decompress prior to 4.2.1 are vulnerable to Arbitrary File Write. The package fails to prevent extraction of files with relative paths, allowing attackers to write to any folder in the system by including filenames containing../. Upgrade to version 4.2.1 or later.
I dont have any intension to rebuild the package by applying the suggestion fix. Is there anyone that is facing the same issue?