Vulnerability issue from Snyk scan

Question

Vulnerability issue from Snyk scan

dtrrk opened this issue 5 months ago · comments

Issue

Can we bump version of glob? There is a vulnerability comes from glob -> inflight.
Latest version of glob does not use inflight

Versions

sequelize: 6.34.0
sequelize-typescript: 2.1.6
typescript: 4.8.4

Issue type

bug report
feature request

Actual behavior

Expected behavior

Steps to reproduce

Related code

insert short code snippets here

Rik Smale · Answer 1 · Tue Feb 20 2024 23:58:11 GMT+0800 (China Standard Time)

I can update it to 7.2.3 but we can't go higher than that since we still support Node 10. Do you know if that fixes this warning? We would be on the latest v1 release on inflight when we would update. Not sure on which version we are now

dtrrk · Answer 2 · Wed Feb 21 2024 21:20:49 GMT+0800 (China Standard Time)

No, 7.2.3 still uses "inflight" dependency.

I think 7.2.3 and 7.2.0 use the same version of inflight and it is the latest.
In fact, I don’t know which version of glob got rid of inflight, but in the latest version of glob this package is definitely not there

Rik Smale · Answer 3 · Wed Feb 21 2024 21:58:19 GMT+0800 (China Standard Time)

Then you can try to override glob yourself. If you're using npm you can use the overrides attribute; https://docs.npmjs.com/cli/v10/configuring-npm/package-json#overrides

Alternatively you can try preparing and migrate to the v7 alphas of @sequelize/core which include the features of sequelize-typescript in sequelize itself. We're not going to do any impacting changes on sequelize-typescript anymore, like dropping support for certain Node versions.

Because resolving this vulnerability requires us to drop support for Node 10 I will close this as not planned.