cypress-io
Security vulnerability in "glob-parent" nested dependency
I was not sure where to report the problem, as it's related to some nested dependencies, but all of them start with @cypress/code-coverage.
Logs and screenshots
Logs from `npm audit`
[2021-06-08T03:04:55.893Z] === npm audit security report ===
[2021-06-08T03:04:55.893Z]
[2021-06-08T03:04:55.893Z] # Run npm update null --depth 4 to resolve 1 vulnerability
[2021-06-08T03:04:55.893Z]
[2021-06-08T03:04:55.893Z] Moderate Regular expression denial of service
[2021-06-08T03:04:55.893Z]
[2021-06-08T03:04:55.893Z] Package glob-parent
[2021-06-08T03:04:55.893Z]
[2021-06-08T03:04:55.893Z] Dependency of @cypress/code-coverage
[2021-06-08T03:04:55.893Z]
[2021-06-08T03:04:55.893Z] Path @cypress/code-coverage > @cypress/browserify-preprocessor >
[2021-06-08T03:04:55.893Z] babel-plugin-add-module-exports > chokidar > glob-parent
[2021-06-08T03:04:55.893Z]
[2021-06-08T03:04:55.893Z] More info https://npmjs.com/advisories/1751
[2021-06-08T03:04:55.893Z]
[2021-06-08T03:04:55.893Z]
[2021-06-08T03:04:55.893Z]
[2021-06-08T03:04:55.893Z] # Run npm update glob-parent --depth 4 to resolve 1 vulnerability
[2021-06-08T03:04:55.893Z]
[2021-06-08T03:04:55.893Z] Moderate Regular expression denial of service
[2021-06-08T03:04:55.893Z]
[2021-06-08T03:04:55.893Z] Package glob-parent
[2021-06-08T03:04:55.893Z]
[2021-06-08T03:04:55.893Z] Dependency of @cypress/code-coverage
[2021-06-08T03:04:55.893Z]
[2021-06-08T03:04:55.893Z] Path @cypress/code-coverage > globby > fast-glob > glob-parent
[2021-06-08T03:04:55.893Z]
[2021-06-08T03:04:55.893Z] More info https://npmjs.com/advisories/1751
[2021-06-08T03:04:55.893Z]
[2021-06-08T03:04:55.893Z]
[2021-06-08T03:04:55.893Z]
[2021-06-08T03:04:55.893Z]
[2021-06-08T03:04:55.893Z] Manual Review
[2021-06-08T03:04:55.893Z] Some vulnerabilities require your attention to resolve
[2021-06-08T03:04:55.893Z]
[2021-06-08T03:04:55.893Z] Visit https://go.npm.me/audit-guide for additional guidance
[2021-06-08T03:04:55.893Z]
[2021-06-08T03:04:55.893Z]
[2021-06-08T03:04:55.893Z] Moderate Regular expression denial of service
[2021-06-08T03:04:55.893Z]
[2021-06-08T03:04:55.893Z] Package glob-parent
[2021-06-08T03:04:55.893Z]
[2021-06-08T03:04:55.893Z] Patched in >=5.1.2
[2021-06-08T03:04:55.893Z]
[2021-06-08T03:04:55.893Z] Dependency of @cypress/code-coverage
[2021-06-08T03:04:55.893Z]
[2021-06-08T03:04:55.893Z] Path @cypress/code-coverage > @cypress/browserify-preprocessor >
[2021-06-08T03:04:55.894Z] watchify > chokidar > glob-parent
[2021-06-08T03:04:55.894Z]
[2021-06-08T03:04:55.894Z] More info https://npmjs.com/advisories/1751
[2021-06-08T03:04:55.894Z]
Versions
"@cypress/code-coverage": "^3.9.6",
"cypress": "^6.4.0",
OS: Ubuntu 20.10 Shell: bash Node: v12.22.1 npm: 6.14.12
Describe the bug
There is a security vulnerability in a nested glob-parent package. See the npm audit logs for more details.
Link to the repo https://github.com/cloudify-cosmo/cloudify-ui-common
Not the smallest reproducible example, but running npm install && npm audit will yield those problems.
~Is this being looked into? A version of @cypress/browserify-preprocessor with the vulnerable glob-parent version is being used.~
I see that @renovate-bot has attempted to fix this with #519
