search

mysticatea / cpx

A cli tool to watch and copy file globs.
MIT License
524 stars 36 forks source link

Upgrade libraries, fix vulnerabilities #63

Open wilmerhmg opened 4 years ago

wilmerhmg commented 4 years ago

This pr updates libraries, and fixes vulnerabilities reported at https://www.npmjs.com/advisories/786

codecov[bot] commented 4 years ago

Codecov Report

Merging #63 into master will increase coverage by 0.95%. The diff coverage is n/a.

Impacted file tree graph

@@            Coverage Diff             @@
##           master      #63      +/-   ##
==========================================
+ Coverage   83.93%   84.89%   +0.95%     
==========================================
  Files          17       17              
  Lines         610      556      -54     
==========================================
- Hits          512      472      -40     
+ Misses         98       84      -14
Impacted Files Coverage Δ
lib/utils/apply-action.js 62.50% <0.00%> (-1.39%) :arrow_down:
lib/utils/copy-file.js 70.45% <0.00%> (-0.70%) :arrow_down:
bin/index.js 100.00% <0.00%> (ø)
lib/utils/watcher.js 84.37% <0.00%> (+2.06%) :arrow_up:

Continue to review full report at Codecov.

Legend - Click here to learn more Δ = absolute <relative> (impact), ø = not affected, ? = missing data Powered by Codecov. Last update 692b67b...36ad868. Read the comment docs.

Misiu commented 4 years ago

I just run Snyk and got this warning:

  ✗ Regular Expression Denial of Service (ReDoS) [Low Severity][https://snyk.io/vuln/npm:braces:20180219] in braces@1.8.5
    introduced by cpx@1.5.0 > chokidar@1.7.0 > anymatch@1.3.2 > micromatch@2.3.11 > braces@1.8.5
  This issue was fixed in versions: 2.3.1
KirilVandov commented 3 years ago

Can we expect this change to be merged. Or we need to manually patch it locally :(

Regular Expression Denial of Service

Package braces

Patched in >=2.3.1

Dependency of cpx [dev]

Path cpx > chokidar > anymatch > micromatch > braces

golfovi commented 3 years ago

Hi! could this PR be merged please?

rjz-avaleo commented 3 years ago

There's a bigger problem than only those vulnerabilities. The last release of this project was in 2016 - version 1.5.0, which is the newest one was created 5 years ago. I believe that this project is just dead. Fortunately no one uses cpx in production code, only for building, so all vulnerabilities can be just ignored, cause they aren't real problems, although I'd say that it's not an ideal situation, cause everyone using this tool will have to maintain the ignored list of vulnerabilities by himself.

rjz-avaleo commented 3 years ago

I found this: https://www.npmjs.com/package/cpx-fixed It seems someone forked this repo (and then another one) to be able to release new vesrions.