glob-parent audit issue

[nicososadmi]

Environment

• OS Version: Windows 10
• Node.js Version: 14.17

Actual behavior

After install fast-glob npm throws audit security issues with that dependency glob-parent that version should be >= 6.0.1

Expected behavior

Install fast-glob without any npm audit security issue

Steps to reproduce

npm install fast-glob

[Kurt-von-Laven]

fast-glob presently pins glob-parent to v5, which isn't currently patched. This issue impacts Yarn users, which both transitively depend on fast-glob.

[nicososadmi]

@Kurt-von-Laven can you approve this PR? https://github.com/mrmlnc/fast-glob/pull/367

[Kurt-von-Laven]

Yes, but it won't do you any good.

[Eusebius1920]

chokidar claims that glob-parent v5.1.2 is not vulnerable: https://github.com/paulmillr/chokidar/issues/1191

[paulmillr]

It is not vulnerable, so the bug is bogus, you need to report this issue to Github support, which errorneusly added the cve to dependabot

[paulmillr]

https://github.com/github/advisory-database/pull/531

[fhljys]

following

[Kurt-von-Laven]

@fhljys FYI, you can click on "Subscribe" in the "Notifications" section in order to follow a thread if that is your intention in posting.

[melwynjensen]

@paulmillr didn't understand what does it mean the bug is bogus? according to the report -> https://github.com/advisories/GHSA-cj88-88mr-972w glob-parent is vulnerable before 6.0.1, can you please clarify?

[Eusebius1920]

@paulmillr didn't understand what does it mean the bug is bogus? according to the report -> GHSA-cj88-88mr-972w glob-parent is vulnerable before 6.0.1, can you please clarify?

Apparently that report was incorrect (false positive).

Take a look at it again. It got corrected and specifies that 5.1.2 is not vulnerable.

[Kurt-von-Laven]

@mrmlnc, I believe this issue can safely be closed at this point since it was simply a false positive from a security audit.