Vulnerability in inflight

[izumo27]

This package depends on inflight and it is vulnerable. https://security.snyk.io/vuln/SNYK-JS-INFLIGHT-6095116

$ npm ls inflight --omit=dev
@mapbox/node-pre-gyp@1.0.11 /Users/...
└─┬ rimraf@3.0.2
  └─┬ glob@7.1.6
    └── inflight@1.0.6

Any plans for a fix?

[pnappa]

I opened a fix a few days ago. #707

[pnappa]

As a strawpoll, I'm curious what packages you guys are using that depend on this package? It looks like it's not been maintained for a bit, and now there's a few alternatives to use, so it may be wise to try and get those dependencies updated to use a more up-to-date package.

Personally, I use node-argon, which used to depend on this, not anymore, they switched to just using node-gyp-build+prebuildify. See this commit: https://github.com/ranisalt/node-argon2/commit/b47602840a259946039db8526ddd182d1430f634#diff-7ae45ad102eab3b6d7e7896acd08c427a9b25b346470d7bc6507b6481575d519

[Luen]

Looks like glob was updated in rimraf v4 & v5 which removed the inflight package.

[sabex]

This fix would be good, we use libxmljs which pulls in node-pre-gyp - so we are impacted by this vulnerability. accepting @pnappa pull request would be great.

[cclauss]

% npm audit

# npm audit report

@babel/traverse  <7.23.2
Severity: critical
Babel vulnerable to arbitrary code execution when compiling specifically crafted malicious code - https://github.com/advisories/GHSA-67hx-6x53-jw92
fix available via `npm audit fix`
node_modules/@babel/traverse

tar  <6.2.1
Severity: moderate
Denial of service while parsing a tar file due to lack of folders count validation - https://github.com/advisories/GHSA-f5x3-32g6-xq36
fix available via `npm audit fix`
node_modules/tar

2 vulnerabilities (1 moderate, 1 critical)