Micromatch <4.0.8 used in ui5/cli CVE-2024-4067

[marcmuschko]

Hope this issue is the way to go, as the security vulnerability itself is not owned by SAP but only used in this repository.

Current Behavior

A github bot / npm security warning due to dependency "micromatch" 4.0.7 in ui5/cli is failing our builds (Whitesource ccompliance). We are using ui5/cli 3.11.1 but it seems the same issue occurs in ui5/cli 4.0.5.

Expected Behavior

No security finding is found by github, by unpinning micromatch 4.0.7 / increasing to 4.0.8
If possible for a ui5 cli version 3.X.X, likely 3.11.2, as we cannot update yet to 4.X.X.

Steps to Reproduce the Issue

1. Create a new project using ui5/cli via npm
2. Commit project to github with dependency checks enabled
3. See security tab

Context

• Micromatch 4.0.7 used and pinned by ui5/cli 3.11.1 - 4.0.5

[d3xter666]

Hi @marcmuschko ,

Thanks for this ticket!

The dependency is already resolved within the code: https://github.com/SAP/ui5-fs/blob/main/package.json
and #1004

[RandomByte]

We released UI5 CLI v4.0.6 and v3.11.2 where the dependency has been updated accordingly.