Vulnerability found in "glob-parent" package
Opened this issue · 2 comments
Description
Dependabot found a vulnerability in the glob-parent
package in our yarn.lock. Dependabot was unable to generate an automatic fix, so we would have to figure something out ourselves.
Dependabot Log
Remediation
Upgrade glob-parent to version 5.1.2 or later. For example:
glob-parent@^5.1.2:
version "5.1.2"
Always verify the validity and compatibility of suggestions with your codebase.
Details
CVE-2020-28469
moderate severity
Vulnerable versions: < 5.1.2
Patched version: 5.1.2
This affects the package glob-parent before 5.1.2. The enclosure regex used to check for strings ending in enclosure containing path separator.
So... we have a problem. After merging #57 the dependabot alert is still there. Went to do some digging, and I am not sure why but there seem to be multiple of that package with different versions. Some of them are updated, while the others aren't. Here're some of the examples
Line 2361 in 6398e2d
Line 2379 in 6398e2d
Line 1233 in 6398e2d
Can you help me look into this and figure out why this is the case and how to resolve it