vulnerability issue with inflight @1.0.6

Question

vulnerability issue with inflight @1.0.6

KusumaShekarN opened this issue 3 years ago · 5 comments

The package inflight @1.0.6 is been identified as a vulnerble which is used as a dependency for glob @7.1.6.

The description for the issue is been reported as follows,
In npm inflight there is a memory leak because some resources are not freed correctly after being used. It appears to affect all versions.

Please consider the attachment for the details.

Answer 1 · 2021-09-04T10:56:17.000Z

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

Answer 2 · 2024-01-04T21:23:20.000Z

Have also had this flagged in a project. I believe that upgrading glob to > v9 should resolve the issue as they removed inflight isaacs/inflight-DEPRECATED-DO-NOT-USE#5

I can potentially help on this

Answer 3 · 2024-06-20T17:41:08.000Z

Snyk is also picking this one up.
Any hopes of fixing?

Answer 4 · 2024-07-08T06:54:08.000Z

This issue has been hanging for 3 years now.
Will this get fixed any time soon?

Installing swagger gives:

npm warn deprecated inflight@1.0.6: This module is not supported, and leaks memory. Do not use it. Check out lru-cache if you want a good and tested way to coalesce async requests by a key value, which is much more comprehensive and powerful.

and npm ls inflight gives:

└─┬ swagger-jsdoc@6.2.8
  └─┬ glob@7.1.6
    └── inflight@1.0.6

Answer 5 · 2024-07-11T21:38:46.000Z

Created PR #400 to bump glob to v11.0.0
Hopefully it gets looked at.