lit-analyzer icon indicating copy to clipboard operation
lit-analyzer copied to clipboard

Published 20 hours ago verified publisher icon runem

Update to fast-glob >3.0.0 in lit-analyzer to avoid security vulnerability

Open melink14 opened this issue 3 years ago • 9 comments

fast-glob <=2.2.7 is vulnerable due to dep on old version of glob-parent.

https://github.com/advisories/GHSA-ww39-953v-wcq6

melink14 avatar Nov 24 '21 06:11 melink14

This dep was fixed by https://github.com/runem/lit-analyzer/pull/244 but we're still pending the release. It looks like the changelog was prepped but I'm not sure if something else is required? @rictic

melink14 avatar May 07 '22 01:05 melink14

I see that there have been active releases of the VS Code plugin but the tsconfig plugin has not seen a release in quite awhile: https://www.npmjs.com/package/ts-lit-plugin

Can the recent changes be published to npm as well?

melink14 avatar Jul 03 '22 06:07 melink14

Just pinging this bug since ts-lit-plugin still has this vulnerability. Should we not be using that plugin? What's the alternative?

Is there some blocker that makes it hard to publish the plugin with the new version?

melink14 avatar Aug 06 '22 13:08 melink14

Seems the ts-lit-plugin package hasn't been updated still; is there something we can do to help as members of the community?

melink14 avatar Sep 22 '22 04:09 melink14

Just checking in on this issue to see if there's anything I could do to help get a new release published!

melink14 avatar Nov 17 '22 00:11 melink14

Any news?

melink14 avatar Dec 18 '22 07:12 melink14

+1 this is relevant.

Vithanco avatar Jan 09 '23 03:01 Vithanco

Any news?

svdsande avatar Apr 12 '23 12:04 svdsande

This should be fixed in lit-analyzer@next

rictic avatar Jun 20 '23 18:06 rictic