Uploaded image for project: 'Flagon'
  1. Flagon
  2. FLAGON-322

minimatch deprecation: ReDOS vulnerability

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Closed
    • Major
    • Resolution: Done
    • UserALE.js 2.0.0
    • UserALE.js 2.0.0
    • UserALE.js
    • None
    • Sprint 17

    Description

      minimatch 2.0.7 has a ReDOS vulnerability. minimatch must be upgraded to ^3.0.2 to remove vulnerability. However, minimatch 2.0.7 is a dependency of  vinyl-fs, which is a dependency of gulp 3.9.1. Two potential options:

      1. The right way: update to gulp 4.0.0, which has breaking changes.
      2. The wonky way: coerce global environment to use minimatch 3.0.2 using "npm install -g minimatch@3.0.2". gulp 3.9.1 will still force installation of vinyl-fs, which will force installation of minimatch 2.0.7. However, coercing npm to install 3.0.2 should remove vulnerability. This solution is purely a downstream hack. see this thread: https://stackoverflow.com/questions/38046392/npm-warn-deprecated-minimatch2-0-10-please-update-to-minimatch-3-0-2-or-higher/38077214

      Will test #2 as an intermediate solution

      Attachments

        1. minimatch 2.0.7 vulnerability
          8 kB
          Joshua Poore

        Issue Links

          is blocked by

          Bug - A problem which impairs or prevents the functions of the product. FLAGON-323 Update to Gulp 4.0.0

          • Blocker - Blocks development and/or testing work, production could not run
          • Closed

          Activity

            People

              poorejc@me.com Joshua Poore
              poorejc@me.com Joshua Poore
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: