search

import-js / eslint-plugin-import

ESLint plugin with rules that help validate proper imports.
MIT License
5.52k stars 1.57k forks source link

Debug 2.6.9 dependency vulnerability on eslint-plugin-import version 2.6.0 #2659

Closed trombini77 closed 1 year ago

trombini77 commented 1 year ago

Snyk reported a vulnerability on package debug 2.6.9 that is eslint-plugin-import version 2.6.0 (from npmjs) package.json dependency field:

Vulnerability Report: https://security.snyk.io/package/npm/debug/2.6.9

https://www.npmjs.com/package/eslint-plugin-import?activeTab=explore

 "dependencies": {
    "array-includes": "^3.1.4",
    "array.prototype.flat": "^1.2.5",
    "debug": "^2.6.9",
    "doctrine": "^2.1.0",
    "eslint-import-resolver-node": "^0.3.6",
    "eslint-module-utils": "^2.7.3",
    "has": "^1.0.3",
    "is-core-module": "^2.8.1",
    "is-glob": "^4.0.3",
    "minimatch": "^3.1.2",
    "object.values": "^1.1.5",
    "resolve": "^1.22.0",
    "tsconfig-paths": "^3.14.1"

Does anybody have the intention to fix it? Thanks.

ljharb commented 1 year ago

a) this is not a valid vulnerability for the package, you should just ignore it b) this is a duplicate of #2657 and a duplicate of #2658 c) debug is updated to v3 in https://github.com/import-js/eslint-plugin-import/commit/404b5cef76ee6f5f13b678a41349ca923eb97b57

The vast majority of transitive vulnerabilities in the JS ecosystem are false positives, and the default course of action should be to confirm that, and ignore them - this is no different.