versusbassz / entity-viewer

Displays data (properties, custom fields) of WordPress entities (posts, users, terms, comments) for developers
https://wordpress.org/plugins/entity-viewer/
GNU General Public License v2.0
15 stars 1 forks source link

glob-parent security issue #34

Closed versusbassz closed 3 years ago

versusbassz commented 3 years ago
Dependabot cannot update glob-parent to a non-vulnerable version
The latest possible version that can be installed is 3.1.0 because of the following conflicting dependency:

@babel/cli@7.14.3 requires glob-parent@^3.1.0 via @nicolo-ribaudo/chokidar-2@2.1.8-no-fsevents
The earliest fixed version is 5.1.2.

https://github.com/advisories/GHSA-ww39-953v-wcq6

CVE-2020-28469
high severity
Vulnerable versions: < 5.1.2
Patched version: 5.1.2
This affects the package glob-parent before 5.1.2. The enclosure regex used to check for strings ending in enclosure containing path separator.

Discussions in the babel repo

versusbassz commented 3 years ago

Done by updating npm deps, coz babel already fixed that on their side.