Potential Resource Exhaustion vulnerability in Cronicle's use of Glob #837
matthewjhands
started this conversation in
Ideas
Replies: 1 comment 1 reply
-
|
Hi there! How weird, NPM audit doesn't catch that vuln at all, nor did I receive a notification from my snyk.io account 🤷🏻♂️ Oh well, I just went ahead and removed glob as a dependency entirely. Cronicle v0.9.63 now uses my own glob implementation in pixl-tools (which uses picomatch under the hood). Fixed in v0.9.63: https://github.com/jhuckaby/Cronicle/releases/tag/v0.9.63 |
Beta Was this translation helpful? Give feedback.
1 reply
-
|
@jhuckaby you are the best. Thanks for getting this fixed so quickly (18 minutes!). Many thanks and have a lovely Christmas break. Matt |
Beta Was this translation helpful? Give feedback.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Uh oh!
There was an error while loading. Please reload this page.
Uh oh!
There was an error while loading. Please reload this page.
-
Hello,
The SCA dependency scanning tool where I work and use Cronicle has picked up a "high" vulnerability in the
globdependency of Cronicle, because[email protected]itself has a dependency on[email protected]which has a known memory leak issue, which at least in theory could lead to a resource exhaustion vulnerability. The Inflight maintainers have indicated that they won't be attempting to fix this bug because the whole project is deprecated.I have a question and a feature request:
glob?[email protected], which apparently doesn't leverage inflight please?Many thanks,
Matt
Beta Was this translation helpful? Give feedback.
All reactions