New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
glob-parent 3.1.0 dependency vulnerability on @bable/cli@7.13.14 #13135
Comments
Hey @madhurjya! We really appreciate you taking the time to report an issue. The collaborators on this project attempt to help as many people as possible, but we're a limited number of volunteers, so it's possible this won't be addressed swiftly. If you need any help, or just have general Babel or JavaScript questions, we have a vibrant Slack community that typically always has someone willing to help. You can sign-up here for an invite." |
That dependency is only used when you are on Node.js 6. If you use Node.js 8+ the vulnerable code is never executed on your machine. On Node.js 6 (which hasn't been maintained for years anyway) there is no alternative for that package (which is a fork of |
@nicolo-ribaudo I might be misunderstanding, but given that Node.js < 10 is not supported at all anymore, what is the reasoning behind keeping around dependencies that support Node.js 6? It makes it difficult to ensure we are not executing vulnerable code if it is kept around as a dependency, even if never used, to maintain legacy support for platforms that are well beyond their supported maintenance windows. |
Babel 7 supports Node.js 6+. We will drop support for Node.js 6, 8, 10, 11 and 13 in the next major. |
I am literally having to fork babel-cli and remove this from it over this issue. |
The issue here is with the vulns reporting tool that doesn't allow marking some vulnerability as "not actually affecting my codebase" 🤷 Anyway, we already merged a fix to update |
babel/cli depends on nicolo-ribaudo/chokidar-2, It looks like that package use’s babel/cli which requires used glob-parent 3.1.0 which is the package with the vulnerability. nicolo-ribaudo/chokidar-2 hasn’t been updated since Nov 2020. Any update to removing this vulnerability?
The text was updated successfully, but these errors were encountered: