sindresorhus / cpy

Copy files
MIT License
425 stars 63 forks source link

Dependency globby security vulnerability #96

Closed kkmavr closed 2 years ago

kkmavr commented 2 years ago

There is a vulnerability in the glob-parent library used. cpy>globby 9.2.0 >fast-glob 2.2.6 > glob-parent 3.1.0

GHSA-ww39-953v-wcq6

Is there a change to update globby to v12.0.0 or a later one, so that it ends up using glop-parent v5.1.2 which is the patched version?

kkmavr commented 2 years ago

Thank you for the fix. Could I ask, when is the next scheduled release, so that we can get this fix?

sindresorhus commented 2 years ago

When https://github.com/sindresorhus/cpy/pull/92 is merged.

stof commented 2 years ago

@sindresorhus is there any chance to release a non-ESM version of cpy upgrading to globby 10+ (the one using fast-glob 3 and so a patched version of glob-parent), to allow upgrades for downstream packages that cannot migrate to ESM yet ? For instance, for a webpack plugin (I know some of them depending on cpy), it might be hard to migrate to ESM, as I don't think webpack supports ESM config files yet.

sindresorhus commented 2 years ago

I don't have any plans to backport. Most users use globby asynchronously and can use the ESM from CommonJS by using await import(…).

jacob-israel-turner commented 2 years ago

Hey guys! This is blocking security updates for Storybook. Any word on when we'll see #92 merged?

Here are some relevant issues: https://github.com/storybookjs/storybook/issues/15174 https://github.com/nrwl/nx/issues/5998

Thanks!