Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

glob < 9 pulls in insecure depedendency, inflight #1980

Open
joshcartme opened this issue Apr 9, 2024 · 1 comment
Open

glob < 9 pulls in insecure depedendency, inflight #1980

joshcartme opened this issue Apr 9, 2024 · 1 comment

Comments

@joshcartme
Copy link

protobuf.js version: 7.2.6
protobufjs-cli version: 1.1.2

The CLI pulls in "glob": "^8.0.0",. glob less than 9 has inflight as a dependency. inflight has a known vulnerability, https://security.snyk.io/package/npm/inflight, and as it appears to be abandonware will likely never be fixed. It is also not going to be fixed in the 8.x branch of glob, isaacs/node-glob#573.

It appears the the use of glob in the cli is compatible with 9 or 10, I'm not entirely sure how to evaluate that myself.
@joshcartme
Copy link
Author

I see that renovate attempted to upgrade glob to 9 in #1869. Something went wrong but the logs from what failed are gone. Locally I've tried upgrading it to the latest 9 and for my purposes, which are not comprehensive, it works fine.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@joshcartme