Stuck on an issue?
Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
cpy has transitive dependencies with a CVE vulnerability
See original GitHub issuecpy depends on globby @ ^12.0.2. Following the dependency chain, this also pulls in globby @ 9.2.0. That version of globby depends on fast-glob which depends on glob-parent at a specific version with a vulnerability.
| +-- globby@9.2.0
| | +-- @types/glob@7.2.0
| | | +-- @types/minimatch@3.0.5
| | | `-- @types/node@16.11.9
| | +-- array-union@1.0.2
| | | `-- array-uniq@1.0.3
| | +-- dir-glob@2.2.2
| | | `-- path-type@3.0.0
| | | `-- pify@3.0.0
| | +-- fast-glob@2.2.7
| | | +-- @mrmlnc/readdir-enhanced@2.2.1
| | | | +-- call-me-maybe@1.0.1
| | | | `-- glob-to-regexp@0.3.0
| | | +-- @nodelib/fs.stat@1.1.3
| | | +-- glob-parent@3.1.0 <---
| | | | +-- is-glob@3.1.0
| | | | | `-- is-extglob@2.1.1 deduped
| | | | `-- path-dirname@1.0.2
+-------------+------------------+----------+-------------------+---------------+---------------------------------------+
| LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE |
+-------------+------------------+----------+-------------------+---------------+---------------------------------------+
| glob-parent | CVE-2020-28469 | HIGH | 3.1.0 | 5.1.2 | nodejs-glob-parent: Regular |
| | | | | | expression denial of service |
| | | | | | -->avd.aquasec.com/nvd/cve-2020-28469 |
+-------------+------------------+----------+-------------------+---------------+---------------------------------------+
The latest version of globby has a dependency tree which does pull in a fixed version of glob-parent.
Issue Analytics
- State:
- Created 2 years ago
- Reactions:7
- Comments:7 (2 by maintainers)
Top Results From Across the Web
Does DependencyCheck check transitive dependencies #2293
I suppose DepencyCheck processes transitive dependencies, so it should report CVE-2019-16869 here. Is this a bug or what did I wrong?
Read more >Fix a transitive npm dependency vulnerability
We strive to keep the number of vulnerabilities as small as possible. But sometimes it is not that easy to fix them. The...
Read more >vulnerable dependency maven:org.yaml:snakeyaml
That version should then take precedence over Spring Boot's transitive dependency. However, SnakeYAML 1.33 still has a vulnerability.
Read more >How to Check if a Java Project Depends on A Vulnerable ...
The Log4j vulnerability tracked as CVE-2021-44228 (also known as ... to show the dependency tree (including transitive dependencies) for the ...
Read more >Getting Started With Sonatype DepShield: An Introduction
This version has a known vulnerability: CVE-2018-1272. ... A transitive dependency is one that we don't explicitly specify, but is required ...
Read more >
Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free
Top Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
@sindresorhus is it actually truly blocked by that PR - or does that PR just happen to address the issue, amongst other things? Wondering because that PR seems to have stalled, and this remains a “high severity” CVE alert, months on. It either needs a new champion, or for the transitive dependency aspects to be cherry-picked.
It’s blocked by https://github.com/sindresorhus/cpy/pull/92