Security vulnerability in "glob-parent" nested dependency

Gelio commented 3 years ago

I was not sure where to report the problem, as it's related to some nested dependencies, but all of them start with @cypress/code-coverage.

Logs and screenshots

Logs from `npm audit`

``` [2021-06-08T03:04:55.893Z] === npm audit security report === [2021-06-08T03:04:55.893Z] [2021-06-08T03:04:55.893Z] # Run npm update null --depth 4 to resolve 1 vulnerability [2021-06-08T03:04:55.893Z] [2021-06-08T03:04:55.893Z] Moderate Regular expression denial of service [2021-06-08T03:04:55.893Z] [2021-06-08T03:04:55.893Z] Package glob-parent [2021-06-08T03:04:55.893Z] [2021-06-08T03:04:55.893Z] Dependency of @cypress/code-coverage [2021-06-08T03:04:55.893Z] [2021-06-08T03:04:55.893Z] Path @cypress/code-coverage > @cypress/browserify-preprocessor > [2021-06-08T03:04:55.893Z] babel-plugin-add-module-exports > chokidar > glob-parent [2021-06-08T03:04:55.893Z] [2021-06-08T03:04:55.893Z] More info https://npmjs.com/advisories/1751 [2021-06-08T03:04:55.893Z] [2021-06-08T03:04:55.893Z] [2021-06-08T03:04:55.893Z] [2021-06-08T03:04:55.893Z] # Run npm update glob-parent --depth 4 to resolve 1 vulnerability [2021-06-08T03:04:55.893Z] [2021-06-08T03:04:55.893Z] Moderate Regular expression denial of service [2021-06-08T03:04:55.893Z] [2021-06-08T03:04:55.893Z] Package glob-parent [2021-06-08T03:04:55.893Z] [2021-06-08T03:04:55.893Z] Dependency of @cypress/code-coverage [2021-06-08T03:04:55.893Z] [2021-06-08T03:04:55.893Z] Path @cypress/code-coverage > globby > fast-glob > glob-parent [2021-06-08T03:04:55.893Z] [2021-06-08T03:04:55.893Z] More info https://npmjs.com/advisories/1751 [2021-06-08T03:04:55.893Z] [2021-06-08T03:04:55.893Z] [2021-06-08T03:04:55.893Z] [2021-06-08T03:04:55.893Z] [2021-06-08T03:04:55.893Z] Manual Review [2021-06-08T03:04:55.893Z] Some vulnerabilities require your attention to resolve [2021-06-08T03:04:55.893Z] [2021-06-08T03:04:55.893Z] Visit https://go.npm.me/audit-guide for additional guidance [2021-06-08T03:04:55.893Z] [2021-06-08T03:04:55.893Z] [2021-06-08T03:04:55.893Z] Moderate Regular expression denial of service [2021-06-08T03:04:55.893Z] [2021-06-08T03:04:55.893Z] Package glob-parent [2021-06-08T03:04:55.893Z] [2021-06-08T03:04:55.893Z] Patched in >=5.1.2 [2021-06-08T03:04:55.893Z] [2021-06-08T03:04:55.893Z] Dependency of @cypress/code-coverage [2021-06-08T03:04:55.893Z] [2021-06-08T03:04:55.893Z] Path @cypress/code-coverage > @cypress/browserify-preprocessor > [2021-06-08T03:04:55.894Z] watchify > chokidar > glob-parent [2021-06-08T03:04:55.894Z] [2021-06-08T03:04:55.894Z] More info https://npmjs.com/advisories/1751 [2021-06-08T03:04:55.894Z] ```

Versions

        "@cypress/code-coverage": "^3.9.6",
        "cypress": "^6.4.0",

OS: Ubuntu 20.10 Shell: bash Node: v12.22.1 npm: 6.14.12

Describe the bug

There is a security vulnerability in a nested glob-parent package. See the npm audit logs for more details.

Link to the repo https://github.com/cloudify-cosmo/cloudify-ui-common

Not the smallest reproducible example, but running npm install && npm audit will yield those problems.

ChunxiAlexLuo commented 3 years ago

When will we get it fixed?

brookjordan commented 2 years ago

~Is this being looked into? A version of @cypress/browserify-preprocessor with the vulnerable glob-parent version is being used.~

I see that @renovate-bot has attempted to fix this with #519

cypress-io / code-coverage

Security vulnerability in "glob-parent" nested dependency #460