projen@0.13.5 vulnerabilities

CDK for software projects

Direct Vulnerabilities

Known vulnerabilities in the projen package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.
Fix for free
Vulnerability Vulnerable Version
  • M
Arbitrary Code Execution

projen is a CDK for software projects

Affected versions of this package are vulnerable to Arbitrary Code Execution. Users of projen's NodeProject project type (including any project type derived from it) include a .github/workflows/rebuild-bot.yml workflow that may allow any GitHub user to trigger execution of un-trusted code in the context of the main repository (as opposed to that of a fork). In some situations, such untrusted code may potentially be able to commit to the main repository.

How to fix Arbitrary Code Execution?

Upgrade projen to version 0.16.41 or higher.

>=0.6.0 <0.16.41