Vulnerability in minimatch
evansjarom11 opened this issue · comments
Our project uses your package and there was found a vulnerability in minimatch version 3.0.4 which your package is dependent on. Please update your dependency to at least minimatch 3.0.5. see CVE-2022-3517
This is Regular Expression Denial of Service vulnerability, and minimatch is used in plugin configuration. Therefore it isn't an exploitable vulnerability - plugin configuration is defined by developer and used only in the build time :)
Feel free to create a PR with dependency bump :)
Add this to your package.json and test it
"overrides": {
"fork-ts-checker-webpack-plugin": {
"minimatch": ">=3.0.5"
}
}
@mastmaster that works for the dependencies. But how I still get the old version on those dependencies of 'node_modules' as shown here:
Previous comment does not pose an issues. Overrides fixed the problem