Update glob-parent to v6.0.0 to avoid known ReDoS vulnerability
andronocean opened this issue · 0 comments
andronocean commented
Hi there :)
There's a disclosed Regular Expression Denial-of-Service vulnerability in one of glob-base's dependencies: glob-parent versions older than 5.1.2. (SNYK-JS-GLOBPARENT-1016905). A fix was merged: gulpjs/glob-parent#36
glob-base itself is a dependency of some other pretty large projects, so it would be wonderful to get this updated. For example, I discovered the issue since the very popular Tailwind CSS framework relies on your other project parse-glob, which in turn relies on this.
Happy to try to put a PR together if necessary, although I'm not a Node expert should changes be needed.