basic-ftp Critical Security Vulnerability: CVE-2026-27699

[tbalbacete]

The dependency proxy-agent has a sub-dependency, basic-ftp, which has a critical security vulnerability (CVE-2026-27699), which is present in even the latest release version.

[wing328]

Thanks for letting us know

The basic-ftp library contains a path traversal vulnerability in the downloadToDir() method. A malicious FTP server can send directory listings with filenames containing path traversal sequences (../) that cause files to be written outside the intended download director

From what I understand the security vulnerability, it shouldn't affect our users of openapi-generator-cli as our CLI has nothing to do with FTP.

[tbalbacete]

Yes I understood this to be the case as well, that there isn't actually a risk, but our issue is that we use trivy to scan our dependencies and this critical vulnerability causes our builds/scans to fail as this vulnerability is technically present in a dependency of openapi-generator-cli

[wing328]

merged #1196 to update proxy-agent to the latest stable version.

i think we can close this one. happy to reopen if needed.