a vulnerability CVE-2020-28469 is introduced in just-task

Question

a vulnerability CVE-2020-28469 is introduced in just-task

ayaka-kms opened this issue 4 years ago · 2 comments

Hi, @kenotron, a vulnerability CVE-2020-28469 is introduced in just-task via:
● just-task@1.4.1 ➔ glob-watcher@5.0.5 ➔ chokidar@2.1.8 ➔ glob-parent@3.1.0

However, glob-watcher is a legacy package, which has not been maintained for about 1 years.
Is it possible to migrate glob-watcher to other package to remediate this vulnerability?

I noticed a migration record in other js repo for glob-watcher:

● in @11ty/eleventy, version 0.6.0 ➔ 0.7.0, migrate glob-watcher to chokidar via commit

Thanks.

Answer 1 · 2021-09-10T23:53:39.000Z

#558 should address this

Answer 2 · 2021-09-10T23:57:03.000Z

This should be fixed.