glob-parent 3.1.0 dependency vulnerability on @bable/cli@7.13.14 #13135
Comments
|
Hey @madhurjya! We really appreciate you taking the time to report an issue. The collaborators on this project attempt to help as many people as possible, but we're a limited number of volunteers, so it's possible this won't be addressed swiftly. If you need any help, or just have general Babel or JavaScript questions, we have a vibrant Slack community that typically always has someone willing to help. You can sign-up here for an invite." |
|
That dependency is only used when you are on Node.js 6. If you use Node.js 8+ the vulnerable code is never executed on your machine. On Node.js 6 (which hasn't been maintained for years anyway) there is no alternative for that package (which is a fork of |
|
@nicolo-ribaudo I might be misunderstanding, but given that Node.js < 10 is not supported at all anymore, what is the reasoning behind keeping around dependencies that support Node.js 6? It makes it difficult to ensure we are not executing vulnerable code if it is kept around as a dependency, even if never used, to maintain legacy support for platforms that are well beyond their supported maintenance windows. |
|
Babel 7 supports Node.js 6+. We will drop support for Node.js 6, 8, 10, 11 and 13 in the next major. |
|
I am literally having to fork babel-cli and remove this from it over this issue. |
|
The issue here is with the vulns reporting tool that doesn't allow marking some vulnerability as "not actually affecting my codebase" 🤷 Anyway, we already merged a fix to update |
github-actions
bot
added
the
outdated
babel/cli depends on nicolo-ribaudo/chokidar-2, It looks like that package use’s babel/cli which requires used glob-parent 3.1.0 which is the package with the vulnerability. nicolo-ribaudo/chokidar-2 hasn’t been updated since Nov 2020. Any update to removing this vulnerability?
The text was updated successfully, but these errors were encountered: