[BUG]: included versions of minimatch, brace-expansion, and shelljs #5008
Description
What happened?
Our security scanner is detecting vulnerable versions of various node packages included in the agent tarball, even up to the latest 4.244.1 release. Can the versions be updated to the latest?
minimatch CVE-2022-3517
Upgrade from 3.0.0->3.0.5+ tmp/agent__src/externals/vso-task-lib/node__modules/minimatch/package.json
brace-expansion CVE-2017-18077
Upgrade from 1.1.5->1.1.7+ tmp/agent__src/externals/vso-task-lib/node__modules/minimatch/node__modules/brace-expansion/package.json
shelljs CVE-2022-0144 AND (GHSA-64g7-mvw6-v9qj)
Upgrade from 0.3.0->0.8.5+ tmp/agent__src/externals/vso-task-lib/node__modules/shelljs/package.json
Versions
azure-pipelines-4.244.1
https://github.com/microsoft/azure-pipelines-agent/releases
https://vstsagentpackage.azureedge.net/agent/4.244.1/vsts-agent-linux-x64-4.244.1.tar.gz
Environment type (Please select at least one enviroment where you face this issue)
- Self-Hosted
- Microsoft Hosted
- VMSS Pool
- Container
Azure DevOps Server type
dev.azure.com (formerly visualstudio.com)
Azure DevOps Server Version (if applicable)
No response
Operation system
No response
Version controll system
No response
Relevant log output
> tar -xf ../vsts-agent-linux-x64-4.244.1.tar.gz
> ls
bin config.sh env.sh externals license.html run-docker.sh run.sh
>grep version ./externals/vso-task-lib/node_modules/minimatch/node_modules/brace-expansion/package.json
"version": "1.1.5",
>grep version externals/vso-task-lib/node_modules/shelljs/package.json
"version": "0.3.0",
>grep version externals/vso-task-lib/node_modules/minimatch/package.json
"version": "3.0.0",