@webex/calling depends on vulnerable ajv version with prototype pollution CVE #4678
Description
Describe the bug
The @webex/calling package depends on @webex/event-dictionary-ts which uses webapi-parser with a vulnerable version of ajv that has a prototype pollution vulnerability.
| Package | Severity | Advisory | Description |
|---|---|---|---|
ajv (<8.0.0) |
Moderate | GHSA-v88g-cgmw-v5xw | Prototype pollution via schema compilation |
To Reproduce
- Create a new Node.js project
- Run
npm install webex@3.11.0 - Run
npm audit - See
ajvprototype pollution vulnerability reported
Expected behavior
The dependency chain should use ajv version 8.x or higher which has addressed the prototype pollution vulnerability.
Screenshots
N/A - This is a dependency vulnerability issue.
Platform (please complete the following information):
- OS: Windows 11 / Linux
- Browser: N/A (Node.js SDK)
- Version: webex@3.11.0, Node.js 20.x
- Device Type: Desktop
Additional context
Dependency chain:
webex@3.11.0
└── @webex/calling@3.11.0
└── @webex/internal-plugin-metrics
└── @webex/event-dictionary-ts
└── webapi-parser
└── ajv (vulnerable version)