New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Vulnerability in shelljs dependency: CWE-772: Missing Release of Resource after Effective Lifetime #1149
Comments
I understand that this package is a transitive dependency, but do you know if the Unfortunately, glob@9 is not compatible with node v8, which is compatibility ShellJS still supports. Fixing this is not a trivial package upgrade. |
#828 might be a possible path forward. I originally filed that ticket because fast-glob seemed to have nice perf wins, but switching to that would also mean we can avoid this dependency. I think it's mostly a drop-in replacement, but I see a few behavior differences around symlinks (both broken and non-broken). The behavior differences are clear since several tests are broken. If someone wants to start a PR to move to fast-glob, let me know. I'm happy to review and provide guidance on the path forward. |
I don't know that the vulnerability is exploitable in Thanks for your quick response. |
This removes `node-glob` in favor of `fast-glob`. The main motivation for this is because `node-glob` has a security warning and I can't update to `node-glob@9` unless we drop compatibility for node v8. Switching to `fast-glob` seems to be fairly straightforward, although some options need to be changed by default for bash compatibility. Fixes #828 Fixes #1149
I think the switch to fast-glob was more straightforward than expected. I wrote up #1153 to do this. Unfortunately we currently expose |
ShellJS version (the most recent version/Github branch you see the bug on):
0.8.5
Description of the bug:
A transitive dependency of shelljs introduces a vulnerability. This can be solved by updating the glob version to 9.0.0 or higher.
The text was updated successfully, but these errors were encountered: