Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

glob-parent, got, and node-fetch security vulnerabilities for netlify-cli@10.15.0

See original GitHub issue

Describe the bug

npm flags security vulnerabilities for the packages glob-parent, got, and node-fetch after having installed the latest netlify-cli@10.15.0

# npm audit report

glob-parent  <5.1.2
Severity: high
glob-parent before 5.1.2 vulnerable to Regular Expression Denial of Service in enclosure regex - https://github.com/advisories/GHSA-ww39-953v-wcq6
fix available via `npm audit fix --force`
Will install netlify-cli@2.37.0, which is a breaking change
node_modules/netlify-cli/node_modules/cpy/node_modules/glob-parent
  fast-glob  <=2.2.7
  Depends on vulnerable versions of glob-parent
  node_modules/netlify-cli/node_modules/cpy/node_modules/fast-glob
    globby  8.0.0 - 9.2.0
    Depends on vulnerable versions of fast-glob
    node_modules/netlify-cli/node_modules/cpy/node_modules/globby
      cpy  7.0.0 - 8.1.2
      Depends on vulnerable versions of globby
      node_modules/netlify-cli/node_modules/cpy
        @netlify/cache-utils  *
        Depends on vulnerable versions of cpy
        node_modules/netlify-cli/node_modules/@netlify/cache-utils
          @netlify/build  >=0.1.31
          Depends on vulnerable versions of @netlify/cache-utils
          Depends on vulnerable versions of @netlify/functions-utils
          Depends on vulnerable versions of got
          Depends on vulnerable versions of update-notifier
          node_modules/netlify-cli/node_modules/@netlify/build
            netlify-cli  >=0.3.4
            Depends on vulnerable versions of @netlify/build
            Depends on vulnerable versions of gh-release-fetch
            Depends on vulnerable versions of node-version-alias
            Depends on vulnerable versions of update-notifier
            node_modules/netlify-cli
        @netlify/functions-utils  *
        Depends on vulnerable versions of cpy
        node_modules/netlify-cli/node_modules/@netlify/functions-utils

got  <11.8.5
Severity: moderate
Got allows a redirect to a UNIX socket - https://github.com/advisories/GHSA-pfrx-2q88-qq97
fix available via `npm audit fix --force`
Will install netlify-cli@2.37.0, which is a breaking change
node_modules/netlify-cli/node_modules/@netlify/build/node_modules/got
node_modules/netlify-cli/node_modules/download/node_modules/got
node_modules/netlify-cli/node_modules/fetch-node-website/node_modules/got
node_modules/netlify-cli/node_modules/package-json/node_modules/got
  download  >=4.0.0
  Depends on vulnerable versions of got
  node_modules/netlify-cli/node_modules/download
    gh-release-fetch  *
    Depends on vulnerable versions of download
    node_modules/netlify-cli/node_modules/gh-release-fetch
  fetch-node-website  2.0.0 - 5.0.3
  Depends on vulnerable versions of got
  node_modules/netlify-cli/node_modules/fetch-node-website
    all-node-versions  2.0.0 - 8.0.0
    Depends on vulnerable versions of fetch-node-website
    node_modules/netlify-cli/node_modules/all-node-versions
      node-version-alias  <=1.0.1
      Depends on vulnerable versions of all-node-versions
      Depends on vulnerable versions of normalize-node-version
      node_modules/netlify-cli/node_modules/node-version-alias
      normalize-node-version  2.0.0 - 10.0.0
      Depends on vulnerable versions of all-node-versions
      node_modules/netlify-cli/node_modules/normalize-node-version
  package-json  <=6.5.0
  Depends on vulnerable versions of got
  node_modules/netlify-cli/node_modules/package-json
    latest-version  0.2.0 - 5.1.0
    Depends on vulnerable versions of package-json
    node_modules/netlify-cli/node_modules/latest-version
      update-notifier  0.2.0 - 5.1.0
      Depends on vulnerable versions of latest-version
      node_modules/netlify-cli/node_modules/update-notifier

node-fetch  3.0.0 - 3.2.9
Severity: moderate
node-fetch Inefficient Regular Expression Complexity  - https://github.com/advisories/GHSA-vp56-6g26-6827
fix available via `npm audit fix`
node_modules/netlify-cli/node_modules/@netlify/edge-bundler/node_modules/node-fetch
node_modules/netlify-cli/node_modules/netlify/node_modules/node-fetch

nth-check  <2.0.1
Severity: high
Inefficient Regular Expression Complexity in nth-check - https://github.com/advisories/GHSA-rp65-9cf3-cjxr
fix available via `npm audit fix --force`
Will install react-scripts@2.1.3, which is a breaking change
node_modules/svgo/node_modules/nth-check
  css-select  <=3.1.0
  Depends on vulnerable versions of nth-check
  node_modules/svgo/node_modules/css-select
    svgo  1.0.0 - 1.3.2
    Depends on vulnerable versions of css-select
    node_modules/svgo
      @svgr/plugin-svgo  <=5.5.0
      Depends on vulnerable versions of svgo
      node_modules/@svgr/plugin-svgo
        @svgr/webpack  4.0.0 - 5.5.0
        Depends on vulnerable versions of @svgr/plugin-svgo
        node_modules/@svgr/webpack
          react-scripts  >=2.1.4
          Depends on vulnerable versions of @svgr/webpack
          node_modules/react-scripts

25 vulnerabilities (12 moderate, 13 high)

To address issues that do not require attention, run:
  npm audit fix

To address all issues (including breaking changes), run:
  npm audit fix --force

Steps to reproduce

npm i netlify-cli
npm audit

Configuration

No response

Environment

System: OS: Windows 10 10.0.19044 CPU: (16) x64 AMD Ryzen 7 1700X Eight-Core Processor Memory: 40.85 GB / 63.93 GB Binaries: Node: 16.14.0 - C:\Program Files\nodejs\node.EXE npm: 8.15.1 - C:\Program Files\nodejs\npm.CMD npmPackages: netlify-cli: ^10.15.0 => 10.15.0