minimatch security vulnerability in CLI - only way to fix it is to delete cli folder contents #1698
Comments
diomedtmc
changed the title
diomedtmc
changed the title
|
Follow this one: #1696 and upvote |
richgerrard
added a commit
to richgerrard/protobuf.js
that referenced
this issue
Mar 31, 2022
If I follow this, glob packages minimatch. Minimatch released a fix, glob also has a newer build, picking this up should pick up that. Fixes protobufjs#1696 Fixes protobufjs#1697 Fixes protobufjs#1698
alexander-fenster
added a commit
that referenced
this issue
May 20, 2022
* Patch minimatch vulnerability If I follow this, glob packages minimatch. Minimatch released a fix, glob also has a newer build, picking this up should pick up that. Fixes #1696 Fixes #1697 Fixes #1698 * chore: update lockfile Co-authored-by: Alexander Fenster <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
protobuf.js version: 6.11.2
Expected Behavior: Protobuf.js passes all security scans and vulnerability checks.
Actual Behavior: It fails our scans repeatedly because of a known minimatch 3.0.4 (or lower) security vulnerability.
Additional notes: Because of the way the cli is packaged (lock file + node_modules folder), we are unable to cleanse the problem through conventional means. (npm overrides or yarn resolutions for instance). We do not use the CLI for production runtimes, but because of the way protobufjs is packaged, the cli and its vulnerability end up in the production image.
The text was updated successfully, but these errors were encountered: