Potential Resource Exhaustion vulnerability in Cronicle's use of Glob #837
matthewjhands
started this conversation in
Ideas
Replies: 1 comment 1 reply
-
|
Hi there! How weird, NPM audit doesn't catch that vuln at all, nor did I receive a notification from my snyk.io account 🤷🏻♂️ Oh well, I just went ahead and removed glob as a dependency entirely. Cronicle v0.9.63 now uses my own glob implementation in pixl-tools (which uses picomatch under the hood). Fixed in v0.9.63: https://github.com/jhuckaby/Cronicle/releases/tag/v0.9.63 |
Beta Was this translation helpful? Give feedback.
1 reply
-
|
@jhuckaby you are the best. Thanks for getting this fixed so quickly (18 minutes!). Many thanks and have a lovely Christmas break. Matt |
Beta Was this translation helpful? Give feedback.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
Hello,
The SCA dependency scanning tool where I work and use Cronicle has picked up a "high" vulnerability in the
globdependency of Cronicle, becauseglob@5.0.15itself has a dependency oninflight@1.0.6which has a known memory leak issue, which at least in theory could lead to a resource exhaustion vulnerability. The Inflight maintainers have indicated that they won't be attempting to fix this bug because the whole project is deprecated.I have a question and a feature request:
glob?glob@9.x, which apparently doesn't leverage inflight please?Many thanks,
Matt
Beta Was this translation helpful? Give feedback.
All reactions