Update dependency cpy to fix security advisory

sindresorhus / cpy-cli

Copy files

MIT License

345 stars 33 forks source link

Update dependency cpy to fix security advisory #32

Closed rmuchall closed 2 years ago

rmuchall commented 3 years ago

npm audit has the following security advisory for cpy-cli:

  Moderate        Regular expression denial of service
  Package         glob-parent
  Patched in      >=5.1.2
  Dependency of   cpy-cli [dev]
  Path            cpy-cli > cpy > globby > fast-glob > glob-parent
  More info       https://npmjs.com/advisories/1751

link: https://npmjs.com/advisories/1751

It looks like this has already been fixed in your library cpy. details: https://github.com/sindresorhus/cpy/issues/84

dkimmich-onventis commented 3 years ago

The version was updated in the code, but cpy didn't release a new version yet, see this comment, so currently this can't be fixed.

rchisholm commented 2 years ago

any update on this? it's the only vulnerability we have for several months

nvandamme commented 2 years ago

A version of cpy implementing the fix has been released : https://github.com/sindresorhus/cpy/releases/tag/v9.0.0

andy2mrqz commented 2 years ago

@sindresorhus I am happy to help update the dependencies to use the latest version of cpy if it would help save you some time - I saw you were committing in the last couple days though, so not sure if you're prepping to tag a new release and this is already on your agenda.

sindresorhus commented 2 years ago

PR welcome :)