Closed evansrobert closed 3 years ago
Upgrade to the latest Globby version. Globby 9 is not supported anymore.
In globby@9.2.1, maybe you can perform the following update: fast-glob ^2.2.6 ➔ ^3.0.0
That's not possible even if I wanted. v3 there has a lot of breaking changes.
The only way to solve this is to get fast-glob
to issue an update to v2 with the upgraded glob-parent
dependency or some other workaround.
Thanks for your answer.
Subject of the issue
globby@9.2.0 requires glob-parent@3.1.0, which has a security problem (see: CVE-2020-28469):
globby@9.2.0 ➔ fast-glob@2.2.7 ➔ glob-parent@3.1.0
I do not know if this vulnerability actually affects globby, but it will show up in security reports about dependencies. Since a large number of developers still use globby@9.2.*(3,981,459 downloads per week), is there any posibility that you could release an update version for 9.2.* (ie 9.2.1) that introduces a patched version(>=5.1.2) of glob-parent?
In globby@9.2.1, maybe you can perform the following update:
fast-glob ^2.2.6 ➔ ^3.0.0
wherefast-glob@3.0.0 ➔ glob-parent@5.1.2
, and glob-parent@5.1.2 has fixed the vulnerability CVE-2020-28469.