New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
glob-parent audit issue #368
Comments
fast-glob presently pins glob-parent to v5, which isn't currently patched. This issue impacts Yarn users, which both transitively depend on fast-glob. |
@Kurt-von-Laven can you approve this PR? #367 |
Yes, but it won't do you any good. |
chokidar claims that glob-parent v5.1.2 is not vulnerable: |
It is not vulnerable, so the bug is bogus, you need to report this issue to Github support, which errorneusly added the cve to dependabot |
following |
@fhljys FYI, you can click on "Subscribe" in the "Notifications" section in order to follow a thread if that is your intention in posting. |
@paulmillr didn't understand what does it mean the bug is bogus? according to the report -> GHSA-cj88-88mr-972w glob-parent is vulnerable before 6.0.1, can you please clarify? |
Apparently that report was incorrect (false positive). Take a look at it again. It got corrected and specifies that 5.1.2 is not vulnerable. |
@mrmlnc, I believe this issue can safely be closed at this point since it was simply a false positive from a security audit. |
Environment
Actual behavior
After install fast-glob npm throws audit security issues with that dependency glob-parent that version should be >= 6.0.1
Expected behavior
Install fast-glob without any npm audit security issue
Steps to reproduce
npm install fast-glob
The text was updated successfully, but these errors were encountered: