Upgrade glob-parent to version 6.0.1 #118
Comments
|
The alert is false, report this to GitHub: github/advisory-database#531 |
|
Thanks @paulmillr. I can try to reach out to GH to have them resolve it. Could you explain in further detail what exactly is wrong with the alert? When I try a yarn upgrade, this package prevents glob-parent from being upgraded to a non-vulnerable version. Are you simply saying that this package uses glob-parent in such a way that this CVE does not affect us? Or that the CVE doesn't actually affect our version of glob-parent? Is unpinning the glob-parent version and allowing a version upgrade a big lift on your end? I do see it would be a major version jump from 5 to 6, but am not familiar enough with glob-parent to know what kind of work that entails. |
|
chokidar uses glob-parent 5.1.2, which is not vulnerable. If your tool says it's vulnerable, then it's garbage. github's dependabot is garbage. Chokidar won't update to 6.0.1 because it requires bumping nodejs requirement to v10. We have 40 million installs per week and many of those are v8. Why should I even consider upgrading this because of huge corporations who cannot get their tooling straight? There is nothing you should do in your setup, you're not using glob-parent directly, and indirectly you're using non-vulnerable version. Reporting to GH works. |
|
"github's dependabot is garbage" Lol, I often times have the same feeling. Thanks for the clarification, and the awesome package. I'll report to GH |
CVE-2021-35065
The text was updated successfully, but these errors were encountered: