Update jake dependency to avoid minimatch@3.0.4 snyk vulnerability

Question

Update jake dependency to avoid minimatch@3.0.4 snyk vulnerability

tmbp95 opened this issue a year ago · 1 comments

Hello, I'm currently using the latest ejs version (3.1.9) which points to the version of Jake 10.8.5 (https://github.com/mde/ejs/blob/v3.1.9/package.json#L25)
Unfortunately, that version of Jake still uses minimatch@3.0.4 which is being pointed out by Snyk as a vulnerability.

path: ejs@3.1.9 › jake@10.8.5 › minimatch@3.0.4

I see that the jake package already updated its version to 10.8.7 and that version already updated the minimatch.
Do you have any estimation or timeframe for the update to the new version of jake?

Thank you!

Answer 1 · 2023-12-04T10:45:01.000Z

Hello @mde, the version of jake@10.8.5 being used has a dependency on minimatch@3.0.4 which has a vulnerability of CVSS score 7.5 as reported here and this was fixed with jake@10.8.7.
Please let us know the plans to upgrade the package to latest to remedy the reported CVE (CVE-2022-3517).
Thanks in advance.

+-- ejs@3.1.9
| `-- jake@10.8.5
|   +-- async@3.2.4
|   +-- chalk@4.1.2
|   | +-- ansi-styles@4.3.0
|   | | `-- color-convert@2.0.1
|   | |   `-- color-name@1.1.4
|   | `-- supports-color@7.2.0
|   |   `-- has-flag@4.0.0
|   +-- filelist@1.0.4
|   | `-- minimatch@5.1.0
|   |   `-- brace-expansion@2.0.1
|   |     `-- balanced-match@1.0.0 deduped
|   `-- minimatch@3.0.4
|     `-- brace-expansion@1.1.11
|       +-- balanced-match@1.0.0
|       `-- concat-map@0.0.1