Vulnerability issue from Snyk scan
dtrrk opened this issue · 3 comments
Issue
Can we bump version of glob? There is a vulnerability comes from glob -> inflight.
Latest version of glob does not use inflight
Versions
- sequelize: 6.34.0
- sequelize-typescript: 2.1.6
- typescript: 4.8.4
Issue type
- bug report
- feature request
Actual behavior
Expected behavior
Steps to reproduce
Related code
insert short code snippets hereI can update it to 7.2.3 but we can't go higher than that since we still support Node 10. Do you know if that fixes this warning? We would be on the latest v1 release on inflight when we would update. Not sure on which version we are now
No, 7.2.3 still uses "inflight" dependency.
I think 7.2.3 and 7.2.0 use the same version of inflight and it is the latest.
In fact, I don’t know which version of glob got rid of inflight, but in the latest version of glob this package is definitely not there
Then you can try to override glob yourself. If you're using npm you can use the overrides attribute; https://docs.npmjs.com/cli/v10/configuring-npm/package-json#overrides
Alternatively you can try preparing and migrate to the v7 alphas of @sequelize/core which include the features of sequelize-typescript in sequelize itself. We're not going to do any impacting changes on sequelize-typescript anymore, like dropping support for certain Node versions.
Because resolving this vulnerability requires us to drop support for Node 10 I will close this as not planned.