[Bug]: glob-parent@5.1.0 introduces ReDoS vulnerability

[simonhmadsen]

What version of Tailwind CSS are you using?

2.1.2

What build tool (or framework if it abstracts the build tool) are you using?

webpack@5.14.0

What version of Node.js are you using?

v14.11.0

What browser are you using?

Chrome

What operating system are you using?

macOS

Reproduction repository

https://github.com/tailwindlabs/tailwindcss

Describe your issue

The dependency glob-parent@5.1.0 introduces a ReDoS vulnerability
(https://app.snyk.io/vuln/SNYK-JS-GLOBPARENT-1016905)

The vulnerability was fixed in glob-parent@5.1.2

[adamwathan]

Hey! This is a transitive dependency for us but we are on 5.1.2 in our lock file already. For anyone who installs Tailwind, the lock file will be ignored but they should get the latest version.

[thinkjrs]

@adamwathan I am experiencing this in a current project:

                       === npm audit security report ===                        
                                                                                
┌──────────────────────────────────────────────────────────────────────────────┐
│                                Manual Review                                 │
│            Some vulnerabilities require your attention to resolve            │
│                                                                              │
│         Visit https://go.npm.me/audit-guide for additional guidance          │
└──────────────────────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate      │ Regular expression denial of service                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ glob-parent                                                  │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=5.1.2                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ tailwindcss [dev]                                            │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ tailwindcss > parse-glob > glob-base > glob-parent           │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/1751                            │
└───────────────┴──────────────────────────────────────────────────────────────┘
found 1 moderate severity vulnerability in 1675 scanned packages
  1 vulnerability requires manual review. See the full report for details.

I have the following in my package.json related to tailwindcss:

"@tailwindcss/aspect-ratio": "^0.2.1",
"@tailwindcss/forms": "^0.2.1",
"@tailwindcss/typography": "^0.4.1",
"tailwindcss": "^2.1.4",

Installing the package directly doesn't help, of course.

After some digging, it looks like glob-base has an open issue to update glob-parent:

micromatch/glob-base#6

[adamwathan]

@thinkjrs We've removed our dependency on parse-glob and pulled in glob-parent ourselves so we can lock it to a newer version so you won't see this in the next release:

#4458

[thinkjrs]

@thinkjrs We've removed our dependency on parse-glob and pulled in glob-parent ourselves so we can lock it to a newer version so you won't see this in the next release:

#4458

🥇

1. Thank you for the rapid fire response.
2. This is precisely why we are happy, paying customers of yours.

That's a great solution and you all implemented very quickly, as well. You + team are awesome. Thanks for all the good work!