search

digitalmaas / serverless-plugin-browserifier

Reduce the size and speed up your Node.js based lambda's using browserify.
Other
27 stars 3 forks source link

Dependency with high vulnerability (globby) #46

Closed vonBarbarosa closed 2 years ago

vonBarbarosa commented 2 years ago

Hello! I'm currently using serverless-plugin-browserifier on its latest version (3.1.0). When I audit with npm audit, it points me a high vulnerability in the package glob-parent, which could be solved by updating the dependency of globby (currently on version 9.2.0).

I noticed the commit 0089e68 from 5 months ago seems to intent to solve this problem, but it's currently in the branch update-dependencies and isn't merged with master.

Could we maybe merge this branch with master, or solve this vulnerability issue another way?

Thanks!

npm audit output:

┌──────────────────────────────────────────────────────────────────────────────┐
│                                Manual Review                                 │
│            Some vulnerabilities require your attention to resolve            │
│                                                                              │
│         Visit https://go.npm.me/audit-guide for additional guidance          │
└──────────────────────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High          │ Regular expression denial of service                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ glob-parent                                                  │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=5.1.2                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ serverless-plugin-browserifier                               │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ serverless-plugin-browserifier > globby > fast-glob >        │
│               │ glob-parent                                                  │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://github.com/advisories/GHSA-ww39-953v-wcq6            │
└───────────────┴──────────────────────────────────────────────────────────────┘
nolde commented 2 years ago

Yeah, sorry about the delay, I'll take a look at dependencies this week.

vonBarbarosa commented 2 years ago

Hi @nolde, I created the PR to solve this issue: #50 If you could take a look, that would be great! \o/ Thanks!

nolde commented 2 years ago

I've merged your PR to the next branch, along with further dependency changes. A new version has been deployed to npm.

Could you download the release candidate version and let me know if works fine for your projects?

npm i -D serverless-plugin-browserifier@next
vonBarbarosa commented 2 years ago

Thanks! I'm talking to my team so we can test this soon. I'll let you know our results.

nolde commented 2 years ago

Well, my tests were fine, so I'll release this one for now. If you find any problems, let me know.