node-temp icon indicating copy to clipboard operation
node-temp copied to clipboard

Published 20 hours ago verified publisher icon bruce

Update rimraf to a version with a newer glob dependency

Open brotkel opened this issue 1 year ago • 6 comments

Hello,

The current release of node-temp uses rimraf 2.6.3, which depends on Glob, which depends on Inflight, which has a security issue: CWE-772. Newer releases of rimraf and Glob exist that do not have this dependency. Temp should be updated to a newer version, as it's used by many downstream packages, like js-codeshift, which currently have this vulnerability.

brotkel avatar Dec 26 '23 23:12 brotkel

@bruce hey! It looks like only you can release a new version now, so I am writing to you.

Do you have any plans to support and develop this project?

It looks perfect, but time passes, and the project's dependencies become outdated. Thus, modern rimraf only supports node>=14.18.0, while the current version of temp supports node>=6.0.0. Updating even a minor version in this case for a package with millions of downloads will definitely be a painful breaking change.

How do you feel about updating all dependencies and releasing a major release?

dartess avatar Jul 03 '24 12:07 dartess

@bruce hey! It looks like only you can release a new version now, so I am writing to you.

Ah, I was unaware of that; this project has been off my radar for some time.

Do you have any plans to support and develop this project?

No, but I'm at least willing to make new dependency related releases, time-permitting, until someone else steps forward and wants to continue to support the project more comprehensively.

It looks perfect, but time passes, and the project's dependencies become outdated. Thus, modern rimraf only supports node>=14.18.0, while the current version of temp supports node>=6.0.0. Updating even a minor version in this case for a package with millions of downloads will definitely be a painful breaking change.

How do you feel about updating all dependencies and releasing a major release?

Yes, I can take a look at this in a week or so; I'm currently on holiday and a continent and ocean away from my laptop.

bruce avatar Jul 08 '24 15:07 bruce

Hi!

Any news on this?

Just noticed this inflight issue in my setup and following the dependency path brought me here.

image

jisotalo avatar Aug 19 '24 08:08 jisotalo