[
https://issues.apache.org/jira/browse/SENSSOFT-322?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16741747#comment-16741747
]
Joshua Poore commented on SENSSOFT-322:
---------------------------------------
In order to appropriately update minimatch in sub-, sub-dependencies, we need
to update Gulp to version 4.0.0
> minimatch deprecation: ReDOS vulnerability
> ------------------------------------------
>
> Key: SENSSOFT-322
> URL: https://issues.apache.org/jira/browse/SENSSOFT-322
> Project: SensSoft
> Issue Type: Bug
> Components: UserALE.js
> Affects Versions: UserALE.js 1.0.0, UserALE.js 1.1.0
> Reporter: Joshua Poore
> Assignee: Joshua Poore
> Priority: Major
> Fix For: UserALE.js 1.0.0, UserALE.js 1.1.0
>
> Attachments: minimatch 2.0.7 vulnerability
>
>
> minimatch 2.0.7 has a ReDOS vulnerability. minimatch must be upgraded to
> ^3.0.2 to remove vulnerability. However, minimatch 2.0.7 is a dependency of
> vinyl-fs, which is a dependency of gulp 3.9.1. Two potential options:
> # The right way: update to gulp 4.0.0, which has breaking changes.
> # The wonky way: coerce global environment to use minimatch 3.0.2 using "npm
> install -g minimatch@3.0.2". gulp 3.9.1 will still force installation of
> vinyl-fs, which will force installation of minimatch 2.0.7. However, coercing
> npm to install 3.0.2 should remove vulnerability. This solution is purely a
> downstream hack. see this thread:
> [https://stackoverflow.com/questions/38046392/npm-warn-deprecated-minimatch2-0-10-please-update-to-minimatch-3-0-2-or-higher/38077214]
> Will test #2 as an intermediate solution
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
