search

jakejs / jake

JavaScript build tool, similar to Make or Rake. Built to work with Node.js.
http://jakejs.com
Apache License 2.0
1.97k stars 190 forks source link

npm install warns to update minimatch to avoid RegExp DoS issue #322

Open sudheesh001 opened 8 years ago

sudheesh001 commented 8 years ago 
$ npm install -g jake
npm WARN deprecated minimatch@0.2.14: Please update to minimatch 3.0.2 or higher to avoid a RegExp DoS issue
npm WARN deprecated minimatch@0.3.0: Please update to minimatch 3.0.2 or higher to avoid a RegExp DoS issue
C:\Users\susingan\AppData\Roaming\npm\jake -> C:\Users\susingan\AppData\Roaming\npm\node_modules\jake\bin\cli.js
C:\Users\susingan\AppData\Roaming\npm
`-- jake@8.0.12
  +-- async@0.9.2
  +-- chalk@0.4.0
  | +-- ansi-styles@1.0.0
  | +-- has-color@0.1.7
  | `-- strip-ansi@0.1.1
  +-- filelist@0.0.4
  | +-- minimatch@0.3.0
  | `-- utilities@0.0.37
  +-- minimatch@0.2.14
  | +-- lru-cache@2.7.3
  | `-- sigmund@1.0.1
  `-- utilities@1.0.4
welearnednothing commented 8 years ago

Does anyone know if updating to Minimatch 3.x will introduce any breaking changes? The versions is use are pretty old and I don't know if the project is following semantic versioning.

On Aug 17, 2016, at 10:23 PM, Sudheesh Singanamalla notifications@github.com wrote:

$ npm install -g jake npm WARN deprecated minimatch@0.2.14: Please update to minimatch 3.0.2 or higher to avoid a RegExp DoS issue npm WARN deprecated minimatch@0.3.0: Please update to minimatch 3.0.2 or higher to avoid a RegExp DoS issue C:\Users\susingan\AppData\Roaming\npm\jake -> C:\Users\susingan\AppData\Roaming\npm\node_modules\jake\bin\cli.js C:\Users\susingan\AppData\Roaming\npm -- jake@8.0.12 +-- async@0.9.2 +-- chalk@0.4.0 | +-- ansi-styles@1.0.0 | +-- has-color@0.1.7 |-- strip-ansi@0.1.1 +-- filelist@0.0.4 | +-- minimatch@0.3.0 | -- utilities@0.0.37 +-- minimatch@0.2.14 | +-- lru-cache@2.7.3 |-- sigmund@1.0.1 `-- utilities@1.0.4

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub, or mute the thread.

mde commented 7 years ago

The change from node-glob, (which was a C lib) to minimatch wasn't all that traumatic. And we do have pretty good test coverage. We should know pretty quickly if there is major breakage. Would love a PR that upgrades this!

evansjarom11 commented 1 year ago

This vulnerability still exists. Please update dependency to 3.0.5 or higher. See: CVE-2022-3517