[Bug]: NuGet package includes nodejs 20.11.0 which is included in CVE-2024-27983
brettski opened this issue · comments
Version
1.43.0
Steps to reproduce
microsoft.playwright.1.43.0 (and some earlier versions) includes a Nodejs executable version 20.11.0.
This file is flagged by scanners (E.g., JFrog) with a High vulnerability due to CVE-2024-27983.
This stops the package from being downloaded within these platforms and in environments where packages are scanned prior to their use.
Expected behavior
It is expected that included Nodejs executables are not flagged as having a security vulnerability.
Actual behavior
Vulnerable included Nodejs executables are flagged as a high-security vulnerability.
Additional context
No response
Environment
- Operating System: Windows, Linux
- CPU: [arm64]
- .NET Version (TFM): [net8.0]
I'll close it, since this gets fixed in 1.44.0 which we'll release shortly.