Bug report: yoteams-build-core dependency upon set-value 3.0.3 with CVE

[rich2099]

Description

Hi Team. I'm new to this, so please let me know if I'm doing something wrong here.

yoteams-build-core has a dependency upon gulp-inject ^5.0.5 which requires group-array ^1.0.1, which requires union-value ^2.0.1 which in turn requires set-value ^3.0.0, of which the latest version is 3.0.3.

set-value 3.0.3 is quarantined within my company due to CVE-2021-23440.

How does one go about the yoteams project so we can use a newer version?

Steps to reproduce

Within my environment, when I perform a yo teams and create a new tab project, it pulls dependencies and then fails due to the quarantine of set-value 3.0.3. I cannot side load this library as my organization prevents this.

Expected results

Update yo teams to use a newer version or provide a way to use a newer version.

Actual results

Within my environment, when I perform a yo teams and create a new tab project, it pulls dependencies and then fails due to the quarantine of set-value 3.0.3. I cannot side load this library as my organization prevents this.

Project you experience issues with

yoteams-build-core

generator version

4.1.0

build tools version

1.8.0

nodejs version

18.12.0

npm version

8.19.2

Operating system (environment)

Windows

Additional Info

Nothing else

[stephanbisser]

@rich2099 we need to look into it to see if a newer version of set-value and we'll come back to you with instructions.

[rich2099]

@rich2099 we need to look into it to see if a newer version of set-value and we'll come back to you with instructions.

@stephanbisser thank you!