Vulnerability Identified in the dependency glob npm package

Question

Vulnerability Identified in the dependency glob npm package

Opened this issue 3 months ago · 1 comments

Missing Release of Resource after Effective Lifetime
Vulnerable module
inflight
Introduced through
sequelize-typescript@2.1.6 > glob@7.2.0 > inflight@1.0.6
Fixed in
glob@9.0

Fix: Update the glob npm package

Answer 1 · 2024-12-16T08:01:25.000Z

Hello, I’ve encountered a similar problem related to the outdated version of glob used in sequelize-typescript.

Here are the details:

When running npm install, I receive multiple warnings about deprecated versions of glob:

npm WARN deprecated glob@7.2.3: Glob versions prior to v9 are no longer supported
npm WARN deprecated glob@7.2.0: Glob versions prior to v9 are no longer supported

After investigating, I found that sequelize-typescript@2.1.6 depends on glob@7.2.0:

$ npm ls glob
├─┬ sequelize-typescript@2.1.6
│ └── glob@7.2.0

The issue with outdated glob is critical as versions prior to v9 are no longer supported and may cause compatibility or security concerns. Additionally, warnings like these can clutter the installation process and make debugging more difficult for teams.

Would it be possible to update the dependency on glob to a more recent version (v9 or higher)? This would help prevent deprecation warnings and ensure better support for downstream projects.