Vulnerability through unmaintained test-exclude dependency

[muppet2011ad]

I have a project which uses @vitest/coverage-v8 at version 1.2.2 which depends on test-exclude version 6.0.0. test-exclude has inflight as a transitive dependency via an old version of glob and has this vulnerability according to Snyk. test-exclude appears to be unmaintained (there have been no updates for 4 years and no responses on issues or PRs in that time).

In addition, it looks like @vitest/coverage-istanbul is also vulnerable through test-exclude.

Are there any plans to move away from test-exclude to remove this vulnerability?

[AriPerkkio]

test-exclude is also used by packages like c8 and nyc. I think the maintainers are happy to apply fix for this.

[AriPerkkio]

Oh right, this isn't fixed in inflight either. Looks like this bug has been present since 2017.

[muppet2011ad]

Yeah inflight has been unmaintained for a long time - glob version >=9 has removed its dependency on it probably for this reason, but since test-exclude is unmaintained and so isn't updating its version of glob, we're stuck depending on inflight.

[AriPerkkio]

test-exclude@7 has updated glob to a version that doesn't use inflight: #5867