Potential Resource Exhaustion vulnerability in Cronicle's use of Glob #837
matthewjhands
started this conversation in
Ideas
Replies: 1 comment 1 reply
-
Hi there! How weird, NPM audit doesn't catch that vuln at all, nor did I receive a notification from my snyk.io account 🤷🏻♂️ Oh well, I just went ahead and removed glob as a dependency entirely. Cronicle v0.9.63 now uses my own glob implementation in pixl-tools (which uses picomatch under the hood). Fixed in v0.9.63: https://github.com/jhuckaby/Cronicle/releases/tag/v0.9.63 |
Beta Was this translation helpful? Give feedback.
1 reply
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
Hello,
The SCA dependency scanning tool where I work and use Cronicle has picked up a "high" vulnerability in the
glob
dependency of Cronicle, because[email protected]
itself has a dependency on[email protected]
which has a known memory leak issue, which at least in theory could lead to a resource exhaustion vulnerability. The Inflight maintainers have indicated that they won't be attempting to fix this bug because the whole project is deprecated.I have a question and a feature request:
glob
?[email protected]
, which apparently doesn't leverage inflight please?Many thanks,
Matt
Beta Was this translation helpful? Give feedback.
All reactions