[Security] Update rimraf to 2.5.3 #23
Comments
|
Hello @andrewrk / @cscott / @deestan / @mcandre. Any way we can get this update? Preferably to a more recent version of rimraf. In our case, minimatch fixed our vulnerability in v3.0.5 and rimraf v2.7.1 has the necessary updates for us to pick up the fix, which will also resolve the request from @rosskukulinski. |
|
Please submit a tested security patch. Another option involves publishing a patched fork of this dependency package, and then publishing a patched downstream package. Had to do that many times for Node projects lacking proactive maintainers. |
|
Another option is to just ignore this warning, since it's not actually a vulnerability. Being able to DOS yourself by providing commands to this package is not an attack. |
|
Disregard that. Not a good posture. |
|
@mcandre it's a quite good posture, actually. Most CVEs in the npm ecosystem are false positives, and since I'm responsible for well over 10% of npm's entire download traffic, my security postures are more thoroughly battle-tested than most, including this one. |
|
Thank you all for the fast response. This is the minimatch issue I was looking at, which in turn was fixed by their brace-expansion dependency: I'm also leaning on this being a warning and not necessarily a vulnerability. |
minimatch <=3.0.1 is vulnerable to a Regex Denial of Service attack
https://nodesecurity.io/advisories/118
node-mv depends on rimraf which depends on glob which depends on minimatch which has the vulnerability.
Please bump rimraf from ~2.4.0 to >=2.5.3 to resolve this vulnerability
isaacs/minimatch@6944abf
isaacs/node-glob@f0f0872
isaacs/rimraf@9e2c310
The text was updated successfully, but these errors were encountered: