Upgrade Auth0-deploy-cli version to address security vulnerabilities

Additional Features
Feb 20, 2026
Overview

At the moment, we are referring auth0-deploy-cli version 5.5.1 within our custom Auth0 implementation to manage our applications across our Auth0 tenants. We recently performed a security scan on this custom implementation, and the following High-security vulnerabilities were identified.
* https://security.snyk.io/vuln/SNYK-JS-LODASH-1040724
* https://security.snyk.io/vuln/SNYK-JS-ASYNC-2441827
* https://security.snyk.io/vuln/SNYK-JS-PUG-1071616
* https://security.snyk.io/vuln/SNYK-JS-NCONF-2395478
* https://security.snyk.io/vuln/SNYK-JS-ANSIREGEX-1583908
We were able to address vulnerabilities for lodash and async packages. However, with the remaining three vulnerabilities, the fix is by upgrading the auth0-deploy-cli version.


From https://github.com/auth0/auth0-deploy-cli/blob/master/CHANGELOG.md , we do see that there were quite a few changes since 5.5.1 version. We request you to kindly advise the best version to which we can upgrade our CLI version to address the reported vulnerabilities and, at the same time, NOT introduce any new functional conflicts within our existing custom Auth0 implementation. 

Applies To
  • security vulnerabilities
Solution
I understand you use auth0-deploy-cli as a package in your application, and you detected some vulnerabilities caused by our library dependencies. I have noticed we don't directly use pug and ansi-regex but only the nconf library with version ^0.8.4 in the 5.5.1 version of the CLI. The other vulnerable libraries should depend on the libraries we use with the CLI tool.

# THE GENERIC PART 

Not knowing how you integrated the CLI in your app and needing the option to execute the security scan tool (like Synk), finding the version from your end could be more practical. So I would like to share an approach that may work. 

1- You may slowly increase the CLI dependency in your application and run the security scan tool to find the minimum version of the auth0-deploy-cli that will avoid the warnings. This step should be quick to complete if you have already integrated the scan tool with your application.

2- Once you find the necessary minimum version of the auth0-deploy-cli library, I recommend the following verification steps in a development tenant;

2-1 Run your application that uses auth0-deploy-cli as a dependency with the existing old version.

2-2 Export the existing configuration of the tenant with the latest version of the standalone Auth0 CLI tool

2-3 Update the tenant again with your application that uses the auth0-deploy-cli version you found in step-1

2-4 Use the same Auth0 CLI tool again to export the tenant settings. You may compare the first and second exports with a text/folder comparison tool like BeyondCompare to see if you notice anything unexpectedly changed.

This approach would likely be one of the safest ways to validate/detect a compatibility issue caused by auth0-deploy-cli changes. We will gladly review if you notice any unexpected changes in step-2.4

Recommended content

No recommended content found...
Need more help? Visit the Community
Visit the Auth0 Community