CVE-2022-46155

Name of the Vulnerable Software and Affected Versions Airtable.js versions prior to 0.11.6

Description The issue arises from a misconfigured build script in the Airtable.js source package, which bundles environment variables into the build target of a transpiled bundle. Specifically, the AIRTABLE API KEY and AIRTABLE ENDPOINT URL environment variables are inserted during Browserify builds due to being referenced in Airtable.js code. This affects copies of Airtable.js built from its source, not those installed via npm or yarn. If a user has cloned the Airtable.js source, runs the npm prepare script, and has the AIRTABLE API KEY environment variable set, their local build of Airtable.js may be modified to include the value of the AIRTABLE API KEY environment variable, which could then be accidentally shipped in the bundled code.

Recommendations To resolve the issue, upgrade to Airtable.js version 0.11.6 or higher. As a workaround, unset the AIRTABLE API KEY environment variable in your shell and/or remove it from your .bashrc, .zshrc, or other shell configuration files. Regenerate any Airtable API keys you use, as they may be present in bundled code.