Open Gelio opened 3 years ago
When will we get it fixed?
~Is this being looked into? A version of @cypress/browserify-preprocessor
with the vulnerable glob-parent
version is being used.~
I see that @renovate-bot has attempted to fix this with #519
I was not sure where to report the problem, as it's related to some nested dependencies, but all of them start with
@cypress/code-coverage
.Logs and screenshots
Logs from `npm audit`
``` [2021-06-08T03:04:55.893Z] === npm audit security report === [2021-06-08T03:04:55.893Z] [2021-06-08T03:04:55.893Z] # Run npm update null --depth 4 to resolve 1 vulnerability [2021-06-08T03:04:55.893Z] [2021-06-08T03:04:55.893Z] Moderate Regular expression denial of service [2021-06-08T03:04:55.893Z] [2021-06-08T03:04:55.893Z] Package glob-parent [2021-06-08T03:04:55.893Z] [2021-06-08T03:04:55.893Z] Dependency of @cypress/code-coverage [2021-06-08T03:04:55.893Z] [2021-06-08T03:04:55.893Z] Path @cypress/code-coverage > @cypress/browserify-preprocessor > [2021-06-08T03:04:55.893Z] babel-plugin-add-module-exports > chokidar > glob-parent [2021-06-08T03:04:55.893Z] [2021-06-08T03:04:55.893Z] More info https://npmjs.com/advisories/1751 [2021-06-08T03:04:55.893Z] [2021-06-08T03:04:55.893Z] [2021-06-08T03:04:55.893Z] [2021-06-08T03:04:55.893Z] # Run npm update glob-parent --depth 4 to resolve 1 vulnerability [2021-06-08T03:04:55.893Z] [2021-06-08T03:04:55.893Z] Moderate Regular expression denial of service [2021-06-08T03:04:55.893Z] [2021-06-08T03:04:55.893Z] Package glob-parent [2021-06-08T03:04:55.893Z] [2021-06-08T03:04:55.893Z] Dependency of @cypress/code-coverage [2021-06-08T03:04:55.893Z] [2021-06-08T03:04:55.893Z] Path @cypress/code-coverage > globby > fast-glob > glob-parent [2021-06-08T03:04:55.893Z] [2021-06-08T03:04:55.893Z] More info https://npmjs.com/advisories/1751 [2021-06-08T03:04:55.893Z] [2021-06-08T03:04:55.893Z] [2021-06-08T03:04:55.893Z] [2021-06-08T03:04:55.893Z] [2021-06-08T03:04:55.893Z] Manual Review [2021-06-08T03:04:55.893Z] Some vulnerabilities require your attention to resolve [2021-06-08T03:04:55.893Z] [2021-06-08T03:04:55.893Z] Visit https://go.npm.me/audit-guide for additional guidance [2021-06-08T03:04:55.893Z] [2021-06-08T03:04:55.893Z] [2021-06-08T03:04:55.893Z] Moderate Regular expression denial of service [2021-06-08T03:04:55.893Z] [2021-06-08T03:04:55.893Z] Package glob-parent [2021-06-08T03:04:55.893Z] [2021-06-08T03:04:55.893Z] Patched in >=5.1.2 [2021-06-08T03:04:55.893Z] [2021-06-08T03:04:55.893Z] Dependency of @cypress/code-coverage [2021-06-08T03:04:55.893Z] [2021-06-08T03:04:55.893Z] Path @cypress/code-coverage > @cypress/browserify-preprocessor > [2021-06-08T03:04:55.894Z] watchify > chokidar > glob-parent [2021-06-08T03:04:55.894Z] [2021-06-08T03:04:55.894Z] More info https://npmjs.com/advisories/1751 [2021-06-08T03:04:55.894Z] ```Versions
OS: Ubuntu 20.10 Shell: bash Node: v12.22.1 npm: 6.14.12
Describe the bug
There is a security vulnerability in a nested
glob-parent
package. See thenpm audit
logs for more details.Link to the repo https://github.com/cloudify-cosmo/cloudify-ui-common
Not the smallest reproducible example, but running
npm install && npm audit
will yield those problems.