Details
-
Bug
-
Status: Closed
-
Major
-
Resolution: Done
-
UserALE.js 2.0.0
-
None
-
Sprint 17
Description
minimatch 2.0.7 has a ReDOS vulnerability. minimatch must be upgraded to ^3.0.2 to remove vulnerability. However, minimatch 2.0.7 is a dependency of vinyl-fs, which is a dependency of gulp 3.9.1. Two potential options:
- The right way: update to gulp 4.0.0, which has breaking changes.
- The wonky way: coerce global environment to use minimatch 3.0.2 using "npm install -g minimatch@3.0.2". gulp 3.9.1 will still force installation of vinyl-fs, which will force installation of minimatch 2.0.7. However, coercing npm to install 3.0.2 should remove vulnerability. This solution is purely a downstream hack. see this thread: https://stackoverflow.com/questions/38046392/npm-warn-deprecated-minimatch2-0-10-please-update-to-minimatch-3-0-2-or-higher/38077214
Will test #2 as an intermediate solution
Attachments
Attachments
Issue Links
- is blocked by
-
FLAGON-323 Update to Gulp 4.0.0
- Closed