0.10.2 version is vulnerable, please publish the GitHub changes to npm ?

selaux / node-sprite-generator

Generates image sprites and their spritesheets (css, stylus, sass or less) from sets of images. Supports retina sprites. Provides express middleware and grunt task.

MIT License

192 stars 39 forks source link

0.10.2 version is vulnerable, please publish the GitHub changes to npm ? #62

Closed Ilshidur closed 1 year ago

Ilshidur commented 7 years ago

The 0.10.2 version published to npm uses the glob@5.0.10 package (see its package.json). This glob@5.0.10 version is vulnerable to RegEx (mentionned in this GitHub issue) and fixed it on the glob@7.0.5 version.

I know the current package on GitHub has already fixed it by now (🎉) using the glob@7.1.1 package (see its package.json) ... but this change has not been published to npm yet.

It would be nice to publish a new version of the package (like 0.10.3) with these changes.

selaux commented 7 years ago

In which case would this be applicable? Only if you allow user-input for the glob parameters, right? Is that a use-case that you have?

Ilshidur commented 7 years ago

No, I don't have such use case. The reason I opened this issue is that I am using a tool called Snyk that checks the potential vulnerabilities of GitHub/npm projects. This tools reports the vulnerability I gave above.

Also, I made this issue for the sake of up-to-date dependencies. I can help on this task if necessary.

Anyway, thanks for this awesome package.