Name of the Vulnerable Software and Affected Versions dbt-core versions prior to 1.7.3

Description The issue arises when dbt-core is used to pull source code from a private repository using a Personal Access Token (PAT). In this scenario, some versions of dbt-core write a URL with the PAT in plaintext to the package-lock.yml file. This could potentially expose sensitive information.

Recommendations For dbt-core versions prior to 1.7.3, update to version 1.7.3 or later to resolve the issue. As a temporary workaround, consider removing any git URLs with plaintext secrets from package-lock.yml file(s) on servers, workstations, or in source control. Rotate any tokens that have been written to version-controlled files to minimize the risk of exploitation.