Closed Ilshidur closed 1 year ago
In which case would this be applicable? Only if you allow user-input for the glob parameters, right? Is that a use-case that you have?
No, I don't have such use case. The reason I opened this issue is that I am using a tool called Snyk that checks the potential vulnerabilities of GitHub/npm projects. This tools reports the vulnerability I gave above.
Also, I made this issue for the sake of up-to-date dependencies. I can help on this task if necessary.
Anyway, thanks for this awesome package.
The 0.10.2 version published to npm uses the
glob@5.0.10
package (see its package.json). Thisglob@5.0.10
version is vulnerable to RegEx (mentionned in this GitHub issue) and fixed it on theglob@7.0.5
version.I know the current package on GitHub has already fixed it by now (🎉) using the
glob@7.1.1
package (see its package.json) ... but this change has not been published to npm yet.It would be nice to publish a new version of the package (like
0.10.3
) with these changes.