Closed hadasmeitav closed 1 year ago
Ok but just so you're aware there's no way to actually exploit this vulnerability since as an end user you don't have any control over the input that is vulnerable (requested path). So in that sense this vulnerability doesn't apply to your code already.
These vulnerability reports are generally overrated, and it would be appreciated if you only open an issue about it if you can confirm that the vulnerability is relevant (:
you're right, but nevertheless my company can't pass the external security inspection because of this...
I just checked... 1) there are no updates available for serve-handler
, and 2) I don't even have this vulnerable minimatch
version installed in this project... as you can see here:
This defines 3.1.2
as the version to be installed/used, and in the following lines you can see that this is also the version that serve-handler
requires:
What you probably have is that your own lock-file has this outdated minimatch
version pinned... I assume you can fix this by running npm upgrade
(or yarn upgrade
would be equivalent) without any arguments, which will upgrade all available package updates that are in-range for your project. Or if you don't want to touch everything, you can try npm upgrade minimatch
as well.
BTW if your company benefits from this project and would be able to sponsor me even in the slightest form, that would be greatly appreciated and mean that I can more actively support you (:
Context:
As a sub-dependency, you're using
serve-handler
library, which usesminimatch
library.minimatch
3.0.4 version is volernable. Can we updateserve-handler
version so that this vulnerability issue won't apply to my code?Thanks in advance 🙏