[Issue][<dependecies>] SNYK Inflight vulnerability in inflight@1.0.6

Question

[Issue][<dependecies>] SNYK Inflight vulnerability in inflight@1.0.6

sebestenyb opened this issue 2 months ago · comments

Balazs Sebesteny commented 2 months ago

Describe the bug

Medium severity memory leak in inflight@1.0.6: https://security.snyk.io/vuln/SNYK-JS-INFLIGHT-6095116

To Reproduce

Please see the dependency tree below, eslint updated their dependencies in v9 to fx the issue:
eslint/eslint#17872

Screenshots

Issues with no direct upgrade or patch:
  ✗ Missing Release of Resource after Effective Lifetime [Medium Severity][https://security.snyk.io/vuln/SNYK-JS-INFLIGHT-6095116] in inflight@1.0.6
    introduced by maz-ui@3.43.0 > eslint@8.57.0 > file-entry-cache@6.0.1 > flat-cache@3.2.0 > rimraf@3.0.2 > glob@7.2.3 > inflight@1.0.6
  No upgrade or patch available

Additional context

Is it possible to update eslint to v9?

Mazel · Answer 1 · Fri May 03 2024 17:00:55 GMT+0800 (China Standard Time)

Hi @sebestenyb,

By mistake, I included Eslint in the dependencies instead of devDependencies. I will fix it by moving Eslint to devDependencies and it will not be included in the maz-ui installation. This issue will disappear.

And just for more information:
Unfortunately, I can't migrate Eslint to v9 for the moment because many plugins used in the project are not ready, I have to wait for plugin updates:

And inflight@1.0.6 is always present in the v9. As you can see in your message "No upgrade or patch available".

Mazel · Answer 2 · Fri May 03 2024 17:35:07 GMT+0800 (China Standard Time)

Solved in v3.43.2

Balazs Sebesteny · Answer 3 · Sat May 04 2024 04:01:51 GMT+0800 (China Standard Time)

Understand, thank you.