vulnerability CVE-2018-1109 is introduced by package braces
ayaka-kms opened this issue · comments
Hi, @Quramy, a vulnerability CVE-2018-1109 is introduced in reg-suit-core@0.10.16 via:
● reg-suit-core@0.10.16 ➔ cpx@1.5.0 ➔ chokidar@1.7.0 ➔ anymatch@1.3.2 ➔ micromatch@2.3.11 ➔ braces@1.8.5
However, cpx is a legacy package, which has not been maintained for about 5 years.
Is it possible to migrate cpx to other package to remediate this vulnerability?
I noticed several migration records in other js repo for cpx:
- in commitizen, version 2.10.1 ➔ 3.0.0, remove cpx via commit
- in @s-ui/studio, version 10.12.0 ➔ 10.13.0, migrate cpx to copyfiles via commit
Thanks.
resolved by #605