Glob - Inflight - Missing Release of Resource after Effective Lifetime

[Luen]

Security vulnerability identified by Snyk within the svg-sprite package's dependencies. The issue is tied to the inflight package, which is a transitive dependency through glob. According to Snyk, the vulnerability is registered as SNYK-JS-INFLIGHT-6095116 and CWE-772: Missing Release of Resource after Effective Lifetime.

Issue Description

The inflight package, which is used to prevent parallel execution of async tasks with the same key, has been reported to have a security vulnerability.

Relevant Context

glob version 9 and onwards have moved away from using callbacks to promises, leading to the removal of inflight from its dependencies due to the API changes. This evolution is discussed in the following node-glob GitHub issues:

• isaacs/node-glob#435
• isaacs/node-glob#573

Additionally, the inflight package itself has it's own issues:

• isaacs/inflight#5
• isaacs/inflight#19

Suggested Action

Given that glob has evolved past the need for inflight, it may be beneficial for svg-sprite to update its dependencies accordingly to a version of glob that does not rely on inflight V9/V10.

[XhmikosR]

I personally don't want to update glob due to this: https://packagephobia.com/result?p=glob%407.2.3%2Cglob%4010.2.4.

So, ideally someone should find a small replacement package and submit a PR with test cases.