-
-
Notifications
You must be signed in to change notification settings - Fork 63
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
cpy has transitive dependencies with a CVE vulnerability #98
Comments
@SimonSiefke - can this be bumped? |
is there any update on this? we have dependabot alerts with high severity. |
@sindresorhus |
It's blocked by #92 |
@sindresorhus is it actually truly blocked by that PR - or does that PR just happen to address the issue, amongst other things? Wondering because that PR seems to have stalled, and this remains a "high severity" CVE alert, months on. It either needs a new champion, or for the transitive dependency aspects to be cherry-picked. |
any update on this? it's the only vulnerability we have for several months |
cpy depends on globby @ ^12.0.2. Following the dependency chain, this also pulls in globby @ 9.2.0. That version of globby depends on fast-glob which depends on glob-parent at a specific version with a vulnerability.
The latest version of globby has a dependency tree which does pull in a fixed version of glob-parent.
The text was updated successfully, but these errors were encountered: