[Issue][<dependecies>] SNYK Inflight vulnerability in inflight@1.0.6

Question

[Issue][<dependecies>] SNYK Inflight vulnerability in inflight@1.0.6

sebestenyb opened this issue 7 months ago · 3 comments

sebestenyb commented 7 months ago

Describe the bug

Medium severity memory leak in inflight@1.0.6: https://security.snyk.io/vuln/SNYK-JS-INFLIGHT-6095116

To Reproduce

Please see the dependency tree below, eslint updated their dependencies in v9 to fx the issue:
eslint/eslint#17872

Screenshots

Issues with no direct upgrade or patch:
  ✗ Missing Release of Resource after Effective Lifetime [Medium Severity][https://security.snyk.io/vuln/SNYK-JS-INFLIGHT-6095116] in inflight@1.0.6
    introduced by maz-ui@3.43.0 > eslint@8.57.0 > file-entry-cache@6.0.1 > flat-cache@3.2.0 > rimraf@3.0.2 > glob@7.2.3 > inflight@1.0.6
  No upgrade or patch available

Additional context

Is it possible to update eslint to v9?

Answer 1 · 2024-05-03T09:00:55.000Z

Hi @sebestenyb,

By mistake, I included Eslint in the dependencies instead of devDependencies. I will fix it by moving Eslint to devDependencies and it will not be included in the maz-ui installation. This issue will disappear.

And just for more information:
Unfortunately, I can't migrate Eslint to v9 for the moment because many plugins used in the project are not ready, I have to wait for plugin updates:

And inflight@1.0.6 is always present in the v9. As you can see in your message "No upgrade or patch available".

Answer 2 · 2024-05-03T09:35:07.000Z

Solved in v3.43.2

Answer 3 · 2024-05-03T20:01:51.000Z

Understand, thank you.