Fast, minimal glob matcher for node.js. Similar to micromatch, minimatch and multimatch, but without support for extended globs (extglobs), posix brackets or braces, and with complete Bash 4.3 wildcard support: ("*", "**", and "?").
https://nvd.nist.gov/vuln/detail/CVE-2019-10747
CVE-2019-10747 More information
high severity
Vulnerable versions: < 2.0.1
Patched version: 2.0.1
set-value is vulnerable to Prototype Pollution in versions before 2.0.1 and version 3.0.0. The function mixin-deep could be tricked into adding or modifying properties of Object.prototype using any of the constructor, prototype and proto payloads.
Hello, can you please cut a new version tag?
There is a vulnerability in a dependent package, see below for details. Good news: Your master branch already contains the fix: https://github.com/micromatch/nanomatch/blob/master/package.json#L38.
Details on vuln: