niji-co/Fusion-Web

Vulnerability found in "glob-parent" package

Opened this issue · 2 comments

sophiewongsp commented

Description

Dependabot found a vulnerability in the glob-parent package in our yarn.lock. Dependabot was unable to generate an automatic fix, so we would have to figure something out ourselves.

Dependabot Log

Link to alert

Remediation

Upgrade glob-parent to version 5.1.2 or later. For example:

glob-parent@^5.1.2:
  version "5.1.2"
Always verify the validity and compatibility of suggestions with your codebase.

Details

CVE-2020-28469
moderate severity
Vulnerable versions: < 5.1.2
Patched version: 5.1.2
This affects the package glob-parent before 5.1.2. The enclosure regex used to check for strings ending in enclosure containing path separator.

lim-james commented

Michael scott saying nope, don't like that

  • 😕1
lim-james commented

@sophiewongsp

Joey from friends waking up from a nightmare

So... we have a problem. After merging #57 the dependabot alert is still there. Went to do some digging, and I am not sure why but there seem to be multiple of that package with different versions. Some of them are updated, while the others aren't. Here're some of the examples

Fusion-Web/yarn.lock

Line 2361 in 6398e2d

glob-parent "^3.1.0"

Fusion-Web/yarn.lock

Line 2379 in 6398e2d

glob-parent "~5.1.0"

Fusion-Web/yarn.lock

Line 1233 in 6398e2d

glob-parent "^5.1.2"

Can you help me look into this and figure out why this is the case and how to resolve it