inflight - transient dependency introduced memory leak #423
Comments
|
@mabreuortega for visibility |
|
Version 9 only supports node 16+ and (AFAIK) it contains a blue-oak鈥搇icensed dependency Edit: not sure if it's really a leak |
|
Reading the sec vuln report it seems to be just non issue.
|
|
Snyk is reporting it as a High Risk issue based on: https://cwe.mitre.org/data/definitions/772.html https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H This is all due to the original issue reported: isaacs/inflight#5 |
|
Here is the closed issue in node-glob: isaacs/node-glob#435 |
|
Leaving this here for inspiration: |
|
If you land yourself here, don't worry: this module does not suffer from a memory leak, as the call to glob is used only once during startup. |
|
This is fixed in |
馃懏 Responsible Disclosure
Do not open issues that might have security implications. It is critical that security related issues
are reported privately so we have time to address them before they become public knowledge.
Please read our SECURITY.md before reporting a vulnerability.
Individuals who find potential vulnerabilities in a package are invited
to complete a vulnerability report on the dedicated HackerOne organization:
https://hackerone.com/fastify
Vulnerabilities can also be reported by emailing to Fastify core members:
Summary
This package uses a version of node-glob which uses as a dependency inflight. The version of inflight uses has a memory leak. See issue: isaacs/inflight#18.
Inflight seems to have been abandoned and it is not longer a dependency of node-glob version 9 and above. However @nestjs/static is not compatible with node-glob v9+.
Proposed Resolution
To fix this, you will need to use fast-glob or upgrade the dependency to glob v9 where the dependency on inflight has been removed.
The text was updated successfully, but these errors were encountered: