orval-labs / orval

orval is able to generate client with appropriate type-signatures (TypeScript) from any valid OpenAPI v3 or Swagger v2 specification, either in yaml or json formats. 🍺
https://orval.dev
MIT License
3.21k stars 337 forks source link

Should micromatch package in orval/core be bumped to 4.0.8 due to Snyk vulnerability report? #1655

Closed EddTally closed 1 week ago

EddTally commented 1 month ago

What are the steps to reproduce this issue?

  1. Run snyk test --severity-threshold=high on package after installing

What happens?

Receive error: ✗ Inefficient Regular Expression Complexity [High Severity][https://security.snyk.io/vuln/SNYK-JS-MICROMATCH-6838728] in micromatch@4.0.7 introduced by orval@6.31.0 > @orval/angular@6.31.0 > @orval/core@6.31.0 > micromatch@4.0.7 and 1 other path(s) This issue was fixed in versions: 4.0.8

What were you expecting to happen?

Snyk to be fine with all Orval dependencies

Any other comments?

Synk report is here: https://security.snyk.io/vuln/SNYK-JS-MICROMATCH-6838728 Does this affect us and should we bump micromatch in orval/core to 4.0.8?

What versions are you using?

npmPackages: @tanstack/svelte-query: ^5.56.2 => 5.56.2 axios: ^1.7.7 => 1.7.7 msw: ^2.4.9 => 2.4.9 orval: ^7.1.1 => 7.1.1 svelte: ^4.2.19 => 4.2.19

melloware commented 1 month ago

@EddTally sure if you want to submit a PR and test it I am fine with that!