You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Hi, @phated@contra, I'd like to report a vulnerability introduced by package glob-parent:
Issue
A vulnerability is introduced in glob-watcher@5.0.5:
Vulnerability CVE-2020-28469 is detected in package glob-parent (versions:<5.1.2): https://snyk.io/vuln/SNYK-JS-GLOBPARENT-1016905
The above vulnerable package is referenced by glob-watcher@5.0.5 via:
Hi, @phated @contra, I'd like to report a vulnerability introduced by package glob-parent:
Issue
A vulnerability is introduced in glob-watcher@5.0.5:
Vulnerability CVE-2020-28469 is detected in package glob-parent (versions:<5.1.2): https://snyk.io/vuln/SNYK-JS-GLOBPARENT-1016905
The above vulnerable package is referenced by glob-watcher@5.0.5 via:
@mrp-brasil/nick-process-node@3.6.43 ➔ @mrp-brasil/nick-data-commons@3.6.43 ➔ gulp@4.0.2 ➔ glob-watcher@5.0.5 ➔ chokidar@2.1.8 ➔ glob-parent@3.1.0
Solution
Since glob-watcher@5.0.5 (742,227 downloads per week) is transitively referenced by 2,759 downstream projects (e.g., workbox-cli 6.1.5 (latest version), just-task 1.4.1 (latest version), just-scripts 1.5.4 (latest version), aurelia-cli 2.0.3 (latest version), node-bandwidth 4.0.0 (latest version))
If glob-watcher@5.0.* removes the vulnerable package from the above version, then its fixed version can help downstream users decrease their pain.
Could you help update packages in these versions?
Fixing suggestions
In glob-watcher@5.0.*, you can kindly perform the following upgrade :
chokidar ^2.0.0 ➔ ^3.0.0
;Note:
chokidar@3.0.0(>=3.0.0) directly depends on glob-parent@5.1.2 which has fixed the vulnerability (CVE-2020-28469)
Thanks for your contributions to the downstream users!
Best regards,
Paimon
The text was updated successfully, but these errors were encountered: