You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The inflight package, which is used to prevent parallel execution of async tasks with the same key, has been reported to have a security vulnerability.
Relevant Context
glob version 9 and onwards have moved away from using callbacks to promises, leading to the removal of inflight from its dependencies due to the API changes. This evolution is discussed in the following node-glob GitHub issues:
Given that glob has evolved past the need for inflight, it may be beneficial for svg-sprite to update its dependencies accordingly to a version of glob that does not rely on inflight V9/V10.
The text was updated successfully, but these errors were encountered:
Security vulnerability identified by Snyk within the
svg-sprite
package's dependencies.The issue is tied to the
inflight
package, which is a transitive dependency throughglob
. According to Snyk, the vulnerability is registered as SNYK-JS-INFLIGHT-6095116 and CWE-772: Missing Release of Resource after Effective Lifetime.Issue Description
The
inflight
package, which is used to prevent parallel execution of async tasks with the same key, has been reported to have a security vulnerability.Relevant Context
glob
version 9 and onwards have moved away from using callbacks to promises, leading to the removal ofinflight
from its dependencies due to the API changes. This evolution is discussed in the followingnode-glob
GitHub issues:Additionally, the
inflight
package itself has it's own issues:Suggested Action
Given that
glob
has evolved past the need forinflight
, it may be beneficial forsvg-sprite
to update its dependencies accordingly to a version ofglob
that does not rely oninflight
V9/V10.The text was updated successfully, but these errors were encountered: