New fast-glob version required due to dependency CVE in micromatch #443
Milestone
Comments
|
When can we expect a new version of the "fast-glob" with the fix? |
|
Here is an MR to fix this issue |
|
We will probably have to fork this repo, not sure who are the maintainers. |
DennisRasey
pushed a commit
to DennisRasey/forgejo
that referenced
this issue
Jan 6, 2025
This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [fast-glob](https://github.com/mrmlnc/fast-glob) | dependencies | patch | [`3.3.2` -> `3.3.3`](https://renovatebot.com/diffs/npm/fast-glob/3.3.2/3.3.3) | --- ### Release Notes <details> <summary>mrmlnc/fast-glob (fast-glob)</summary> ### [`v3.3.3`](https://github.com/mrmlnc/fast-glob/releases/tag/3.3.3) [Compare Source](mrmlnc/fast-glob@3.3.2...3.3.3) > **Full Changelog**: mrmlnc/fast-glob@3.3.2...3.3.3 #### 💬 Common - Refer to micromatch@4.0.8 to avoid annoying npm audit spam ([#​443](mrmlnc/fast-glob#443), [#​444](mrmlnc/fast-glob#444), [#​454](mrmlnc/fast-glob#454), [#​456](mrmlnc/fast-glob#456), [#​457](mrmlnc/fast-glob#457), [#​461](mrmlnc/fast-glob#461)) #### 🐛 Bug fixes - Apply absolute negative patterns to full path instead of file path ([#​441](mrmlnc/fast-glob#441), thanks [@​webpro](https://github.com/webpro)) </details> --- ### Configuration 📅 **Schedule**: Branch creation - "* 0-3 * * *" (UTC), Automerge - "* 0-3 * * *" (UTC). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzOS45MC4wIiwidXBkYXRlZEluVmVyIjoiMzkuOTAuMCIsInRhcmdldEJyYW5jaCI6ImZvcmdlam8iLCJsYWJlbHMiOlsiZGVwZW5kZW5jeS11cGdyYWRlIiwidGVzdC9ub3QtbmVlZGVkIl19--> Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/6476 Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org> Co-authored-by: Renovate Bot <forgejo-renovate-action@forgejo.org> Co-committed-by: Renovate Bot <forgejo-renovate-action@forgejo.org>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Hello,
could you please provide a rebuild / new version from fast-glob to bump to new micromatch dependency version 4.0.6
fast-glob 3.3.2 defines a dependency to micromatch.
├─┬ fast-glob@3.3.2
│ │ ├── @nodelib/fs.stat@2.0.5
│ │ ├── @nodelib/fs.walk@1.2.8 deduped
│ │ ├─┬ glob-parent@5.1.2
│ │ │ └── is-glob@4.0.3 deduped
│ │ ├── merge2@1.4.1
│ │ └─┬ micromatch@4.0.5
How to fix?
Upgrade micromatch to version 4.0.6 or higher.
See: https://security.snyk.io/vuln/SNYK-JS-MICROMATCH-6838728
Thanks.
The text was updated successfully, but these errors were encountered: