Closed isuftin closed 2 years ago
@SimonSiefke - can this be bumped?
is there any update on this? we have dependabot alerts with high severity.
@sindresorhus The updated dependencies are already included in the project. Is anything still blocking the release of a new version? Can we help in any way?
It's blocked by https://github.com/sindresorhus/cpy/pull/92
@sindresorhus is it actually truly blocked by that PR - or does that PR just happen to address the issue, amongst other things? Wondering because that PR seems to have stalled, and this remains a "high severity" CVE alert, months on. It either needs a new champion, or for the transitive dependency aspects to be cherry-picked.
any update on this? it's the only vulnerability we have for several months
cpy depends on globby @ ^12.0.2. Following the dependency chain, this also pulls in globby @ 9.2.0. That version of globby depends on fast-glob which depends on glob-parent at a specific version with a vulnerability.
The latest version of globby has a dependency tree which does pull in a fixed version of glob-parent.