fast-glob
fast-glob copied to clipboard
glob-parent audit issue
Environment
- OS Version: Windows 10
- Node.js Version: 14.17
Actual behavior
After install fast-glob npm throws audit security issues with that dependency glob-parent that version should be >= 6.0.1
Expected behavior
Install fast-glob without any npm audit security issue
Steps to reproduce
npm install fast-glob
fast-glob presently pins glob-parent to v5, which isn't currently patched. This issue impacts Yarn users, which both transitively depend on fast-glob.
@Kurt-von-Laven can you approve this PR? https://github.com/mrmlnc/fast-glob/pull/367
Yes, but it won't do you any good.
chokidar claims that glob-parent v5.1.2 is not vulnerable: https://github.com/paulmillr/chokidar/issues/1191
It is not vulnerable, so the bug is bogus, you need to report this issue to Github support, which errorneusly added the cve to dependabot
https://github.com/github/advisory-database/pull/531
following
@fhljys FYI, you can click on "Subscribe" in the "Notifications" section in order to follow a thread if that is your intention in posting.
@paulmillr didn't understand what does it mean the bug is bogus? according to the report -> https://github.com/advisories/GHSA-cj88-88mr-972w glob-parent is vulnerable before 6.0.1, can you please clarify?
@paulmillr didn't understand what does it mean the bug is bogus? according to the report -> GHSA-cj88-88mr-972w glob-parent is vulnerable before 6.0.1, can you please clarify?
Apparently that report was incorrect (false positive).
Take a look at it again. It got corrected and specifies that 5.1.2 is not vulnerable.
@mrmlnc, I believe this issue can safely be closed at this point since it was simply a false positive from a security audit.