cpx icon indicating copy to clipboard operation
cpx copied to clipboard

Published 20 hours ago verified publisher icon mysticatea

Upgrade libraries, fix vulnerabilities

Open wilmerhmg opened this issue 4 years ago • 6 comments

This pr updates libraries, and fixes vulnerabilities reported at https://www.npmjs.com/advisories/786

wilmerhmg avatar Jul 14 '20 19:07 wilmerhmg

Codecov Report

Merging #63 into master will increase coverage by 0.95%. The diff coverage is n/a.

Impacted file tree graph

@@            Coverage Diff             @@
##           master      #63      +/-   ##
==========================================
+ Coverage   83.93%   84.89%   +0.95%     
==========================================
  Files          17       17              
  Lines         610      556      -54     
==========================================
- Hits          512      472      -40     
+ Misses         98       84      -14
Impacted Files Coverage Δ
lib/utils/apply-action.js 62.50% <0.00%> (-1.39%) :arrow_down:
lib/utils/copy-file.js 70.45% <0.00%> (-0.70%) :arrow_down:
bin/index.js 100.00% <0.00%> (ø)
lib/utils/watcher.js 84.37% <0.00%> (+2.06%) :arrow_up:

Continue to review full report at Codecov.

Legend - Click here to learn more Δ = absolute <relative> (impact), ø = not affected, ? = missing data Powered by Codecov. Last update 692b67b...36ad868. Read the comment docs.

codecov[bot] avatar Jul 14 '20 19:07 codecov[bot]

I just run Snyk and got this warning:

  ✗ Regular Expression Denial of Service (ReDoS) [Low Severity][https://snyk.io/vuln/npm:braces:20180219] in [email protected]
    introduced by [email protected] > [email protected] > [email protected] > [email protected] > [email protected]
  This issue was fixed in versions: 2.3.1

Misiu avatar Oct 13 '20 11:10 Misiu

Can we expect this change to be merged. Or we need to manually patch it locally :(

Regular Expression Denial of Service

Package braces

Patched in >=2.3.1

Dependency of cpx [dev]

Path cpx > chokidar > anymatch > micromatch > braces

KirilVandov avatar Feb 22 '21 14:02 KirilVandov

Hi! could this PR be merged please?

golfovi avatar Jun 24 '21 10:06 golfovi

There's a bigger problem than only those vulnerabilities. The last release of this project was in 2016 - version 1.5.0, which is the newest one was created 5 years ago. I believe that this project is just dead. Fortunately no one uses cpx in production code, only for building, so all vulnerabilities can be just ignored, cause they aren't real problems, although I'd say that it's not an ideal situation, cause everyone using this tool will have to maintain the ignored list of vulnerabilities by himself.

rjz-avaleo avatar Nov 01 '21 12:11 rjz-avaleo

I found this: https://www.npmjs.com/package/cpx-fixed It seems someone forked this repo (and then another one) to be able to release new vesrions.

rjz-avaleo avatar Nov 01 '21 12:11 rjz-avaleo