sequelize-typescript icon indicating copy to clipboard operation
sequelize-typescript copied to clipboard
verified publisher icon sequelize

Vulnerability Identified in the dependency glob npm package

Open kkpranesh opened this issue 1 year ago • 6 comments

Missing Release of Resource after Effective Lifetime Vulnerable module inflight Introduced through [email protected] > [email protected] > [email protected] Fixed in [email protected]

Fix: Update the glob npm package

kkpranesh avatar Oct 07 '24 12:10 kkpranesh

Hello, I’ve encountered a similar problem related to the outdated version of glob used in sequelize-typescript.

Here are the details:

When running npm install, I receive multiple warnings about deprecated versions of glob:

npm WARN deprecated [email protected]: Glob versions prior to v9 are no longer supported npm WARN deprecated [email protected]: Glob versions prior to v9 are no longer supported

After investigating, I found that [email protected] depends on [email protected]:

$ npm ls glob ├─┬ [email protected] │ └── [email protected]

The issue with outdated glob is critical as versions prior to v9 are no longer supported and may cause compatibility or security concerns. Additionally, warnings like these can clutter the installation process and make debugging more difficult for teams.

Would it be possible to update the dependency on glob to a more recent version (v9 or higher)? This would help prevent deprecation warnings and ensure better support for downstream projects.

comeonyo avatar Dec 16 '24 08:12 comeonyo

Having similar issue, getting the below warning from inflight.

This module is not supported, and leaks memory. Do not use it. Check out lru-cache if you want a good and tested way to coalesce async requests by a key value, which is much more comprehensive and powerful.

avez-fsd avatar Jan 02 '25 15:01 avez-fsd

HI @WikiRik could you help take a look?

luanxuechao avatar May 22 '25 09:05 luanxuechao

I was faced with the same issue, and after searching, it appears they will not fix the inflight module issue because then they would no longer support Node 10. But isn't that the wrong way of thinking? Node 10 is EOL April 30, 2021. Shouldn't the project aim to upgrade and be compliant with the latest versions? Unless there is a viable alternative, even major projects like NestJS suggest using this package.

brandon-philpot avatar Jun 20 '25 03:06 brandon-philpot

I've faced the same issue. Please upgrade glob version

nhuphuoc-bic avatar Jun 20 '25 04:06 nhuphuoc-bic

I agree. They should specify in the engine that they now support node >=16. Since node 14 is also EOL, it shouldn't even matter. Developers could also continue using the current version of sequelize-typescript for their environments below node16.

andres-flores-espol avatar Jul 02 '25 21:07 andres-flores-espol