Vulnerability in minimatch

Question

Vulnerability in minimatch

evansjarom11 opened this issue 2 years ago · comments

Our project uses your package and there was found a vulnerability in minimatch version 3.0.4 which your package is dependent on. Please update your dependency to at least minimatch 3.0.5. see CVE-2022-3517

Piotr Oleś · Answer 1 · Fri Oct 21 2022 04:20:33 GMT+0800 (China Standard Time)

This is Regular Expression Denial of Service vulnerability, and minimatch is used in plugin configuration. Therefore it isn't an exploitable vulnerability - plugin configuration is defined by developer and used only in the build time :)

Feel free to create a PR with dependency bump :)

iBen · Answer 2 · Fri Oct 21 2022 05:46:45 GMT+0800 (China Standard Time)

Add this to your package.json and test it
"overrides": {
"fork-ts-checker-webpack-plugin": {
"minimatch": ">=3.0.5"
}
}

Jarom Evans · Answer 3 · Fri Oct 21 2022 06:25:57 GMT+0800 (China Standard Time)

@mastmaster that works for the dependencies. But how I still get the old version on those dependencies of 'node_modules' as shown here:

Jarom Evans · Answer 4 · Fri Oct 21 2022 21:29:07 GMT+0800 (China Standard Time)

Previous comment does not pose an issues. Overrides fixed the problem