search

mysticatea / cpx

A cli tool to watch and copy file globs.
MIT License
524 stars 36 forks source link

Fix security warning #41

Closed quilicicf closed 6 years ago

quilicicf commented 6 years ago

Hi,

When installing cpx as a dependency of a project, npm gave me a warning about a vulnerability. The problem comes from dependency chokidar, I've created an issue there. 

┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low           │ Prototype Pollution                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ deep-extend                                                  │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ cpx [dev]                                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ cpx > chokidar > fsevents > node-pre-gyp > rc > deep-extend  │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://nodesecurity.io/advisories/612                       │
└───────────────┴──────────────────────────────────────────────────────────────┘

I also noticed that the badge on the README points to another vulnerability, on debug this time (cf David report).

Thanks for developing cpx. I can commit a fix if that helps.

quilicicf commented 6 years ago

I opened a PR to try and fix all non-low vulnerabilities: https://github.com/mysticatea/cpx/pull/43

mysticatea commented 6 years ago

I'm sorry for my overlook. Thank you for this report and that PR.

I will take a look the PR within this week.

quilicicf commented 6 years ago

No harm done, thanks

mysticatea commented 6 years ago

43 was merged. Thank you!