npm
Arborist has outdated dependencies which still use `[email protected]` which has a CVE
Is there an existing issue for this?
- [x] I have searched the existing issues
This issue exists in the latest npm version
- [x] I am using the latest npm
Current Behavior
There are at least 2 dependencies that are out of date and still reference [email protected] or below which have a CVE issues and are used by Lerna/Lerna-Lite (I maintain the latter)
This one should be at 5.0.3 to get Glob 13.x https://github.com/npm/cli/blob/58afdcc2094bd245c9916a02a62640a76ace8e72/workspaces/arborist/package.json#L9
then this one should be at 20.0.3 to get Glob 13.x https://github.com/npm/cli/blob/58afdcc2094bd245c9916a02a62640a76ace8e72/workspaces/arborist/package.json#L18
I know that I can simply force the lock file to update but it's a little hard when it's transitive dependencies like this one. So in Lerna/Lerna-Lite (I use and maintain the latter), then when I use it in other monorepos, I still see this and Renovate can't fix it by itself and that is caused by @npmcli/arborist
Transitive dependency glob 11.0.3 is introduced via
@lerna-lite/cli 4.9.4 ... glob 11.0.3
@lerna-lite/publish 4.9.4 ... glob 11.0.3
@lerna-lite/watch 4.9.4 ... glob 11.0.3
Expected Behavior
Arborist should be updated to latest dependencies so that we could get rid of any CVE. This can be fixed by simply updating the 2 deps I mentioned above
Steps To Reproduce
- In any environment
- See error...
Transitive dependency glob 11.0.3 is introduced via
@lerna-lite/cli 4.9.4 ... glob 11.0.3
@lerna-lite/publish 4.9.4 ... glob 11.0.3
@lerna-lite/watch 4.9.4 ... glob 11.0.3
Environment
; node bin location = C:\Program Files\nodejs\node.exe
; node version = v22.19.0
; npm local prefix = C:\github
; npm version = 10.9.0
