Joshua Poore created SENSSOFT-322:
-------------------------------------
Summary: minimatch deprecation: ReDOS vulnerability
Key: SENSSOFT-322
URL: https://issues.apache.org/jira/browse/SENSSOFT-322
Project: SensSoft
Issue Type: Bug
Components: UserALE.js
Affects Versions: UserALE.js 1.0.0, UserALE.js 1.1.0
Reporter: Joshua Poore
Assignee: Joshua Poore
Fix For: UserALE.js 1.0.0, UserALE.js 1.1.0
minimatch 2.0.7 has a ReDOS vulnerability. minimatch must be upgraded to ^3.0.2
to remove vulnerability. However, minimatch 2.0.7 is a dependency of vinyl-fs,
which is a dependency of gulp 3.9.1. Two potential options:
# The right way: update to gulp 4.0.0, which has breaking changes.
# The wonky way: coerce global environment to use minimatch 3.0.2 using "npm
install -g minimatch@3.0.2". gulp 3.9.1 will still force installation of
vinyl-fs, which will force installation of minimatch 2.0.7. However, coercing
npm to install 3.0.2 should remove vulnerability. This solution is purely a
downstream hack.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
