fast-glob icon indicating copy to clipboard operation
fast-glob copied to clipboard
verified publisher icon mrmlnc

(Another) New fast-glob version required due to dependency CVE in micromatch

Open lyricnz opened this issue 1 year ago • 3 comments

Similiar to #443 another CVE in micromatch requiring update to micromatch (which isn't available yet?) See https://github.com/advisories/GHSA-952p-6rrq-rcjv

lyricnz avatar Aug 22 '24 02:08 lyricnz

I have opened a PR https://github.com/micromatch/micromatch/pull/266 that fixes the issue in micromatch (https://github.com/micromatch/micromatch/issues/264), wating to be merged.

hauserkristof avatar Aug 22 '24 21:08 hauserkristof

micromatch 4.0.7 is not enough to fix tha latest CVE. Needs 4.0.8

lyricnz avatar Aug 25 '24 02:08 lyricnz

Is this still an issue? When I install fast-glob i get micromatch 4.0.8 and no security warning..

├─┬ [email protected]
│ ├── @nodelib/[email protected]
│ ├── @nodelib/[email protected]
│ ├── [email protected]
│ ├── [email protected]
│ └── [email protected]

75lb avatar Aug 25 '24 12:08 75lb

v4.0.8 has been merged, so this can be closed now.

hauserkristof avatar Aug 26 '24 08:08 hauserkristof

Yup, I did a nuke+reinstall, and got micromatch 4.0.8 from the three places that needed it, including fast-glob.

lyricnz avatar Aug 27 '24 00:08 lyricnz