Update dependency to remove vulnerability

[evansrobert]

Subject of the issue

globby@9.2.0 requires glob-parent@3.1.0, which has a security problem (see: CVE-2020-28469): globby@9.2.0 ➔ fast-glob@2.2.7 ➔ glob-parent@3.1.0

I do not know if this vulnerability actually affects globby, but it will show up in security reports about dependencies. Since a large number of developers still use globby@9.2.*(3,981,459 downloads per week), is there any posibility that you could release an update version for 9.2.* (ie 9.2.1) that introduces a patched version(>=5.1.2) of glob-parent?

In globby@9.2.1, maybe you can perform the following update: fast-glob ^2.2.6 ➔ ^3.0.0 where fast-glob@3.0.0 ➔ glob-parent@5.1.2, and glob-parent@5.1.2 has fixed the vulnerability CVE-2020-28469.

[sindresorhus]

Upgrade to the latest Globby version. Globby 9 is not supported anymore.

[sindresorhus]

In globby@9.2.1, maybe you can perform the following update: fast-glob ^2.2.6 ➔ ^3.0.0

That's not possible even if I wanted. v3 there has a lot of breaking changes.

[sindresorhus]

The only way to solve this is to get fast-glob to issue an update to v2 with the upgraded glob-parent dependency or some other workaround.

[evansrobert]

Thanks for your answer.