Skip to content

Installing @zenstackhq/cli immediately brings in known vulnerabilities #2704

Open
#2709
Open
Installing @zenstackhq/cli immediately brings in known vulnerabilities#2704
#2709
Labels
in-progress
@electrovir

Description

@electrovir
electrovir
opened on Jun 12, 2026

Description

Installing @zenstackhq/cli (npm i -D @zenstackhq/cli) immediately brings in 8 new vulnerabilities:

lodash-es  <=4.17.23
Severity: high
lodash vulnerable to Code Injection via `_.template` imports key names - https://github.com/advisories/GHSA-r5fr-rjxr-66jc
lodash vulnerable to Prototype Pollution via array path bypass in `_.unset` and `_.omit` - https://github.com/advisories/GHSA-f23m-r3pf-42rh
Lodash has Prototype Pollution Vulnerability in `_.unset` and `_.omit` functions - https://github.com/advisories/GHSA-xxjr-mmjv-4gpg
No fix available
node_modules/lodash-es
  @chevrotain/cst-dts-gen  11.0.0 - 11.1.0
  Depends on vulnerable versions of @chevrotain/gast
  Depends on vulnerable versions of lodash-es
  node_modules/@chevrotain/cst-dts-gen
  @chevrotain/gast  11.0.0 - 11.1.0
  Depends on vulnerable versions of lodash-es
  node_modules/@chevrotain/gast
  chevrotain  11.0.0 - 11.1.0
  Depends on vulnerable versions of @chevrotain/cst-dts-gen
  Depends on vulnerable versions of @chevrotain/gast
  Depends on vulnerable versions of lodash-es
  node_modules/chevrotain
    langium  2.1.0 - 4.1.3
    Depends on vulnerable versions of chevrotain
    node_modules/langium
      @zenstackhq/cli  *
      Depends on vulnerable versions of @zenstackhq/language
      Depends on vulnerable versions of @zenstackhq/sdk
      Depends on vulnerable versions of langium
      node_modules/@zenstackhq/cli
      @zenstackhq/language  >=3.0.0-alpha.0
      Depends on vulnerable versions of langium
      node_modules/@zenstackhq/language
        @zenstackhq/sdk  <=1.0.0-alpha.30 || >=3.0.0-alpha.0
        Depends on vulnerable versions of @zenstackhq/language
        Depends on vulnerable versions of langium
        node_modules/@zenstackhq/sdk

8 vulnerabilities (7 moderate, 1 high)

Expected behavior

That installing zendesk doesn't immediately add multiple vulnerabilities to my project.

Environment

  • ZenStack version: @zenstackhq/cli@3.7.2
  • Package manager: npm

Metadata

Metadata

Assignees

No one assigned

    Labels

    in-progress

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions