sdedic opened a new pull request, #26: URL: https://github.com/apache/netbeans-vscode/pull/26
NPM audit reports vulnerabilities: ``` sdedic@sdedic-nb4$ npm audit --omit=dev # npm audit report minimatch <=3.1.3 Severity: high minimatch has a ReDoS via repeated wildcards with non-matching literal in pattern - https://github.com/advisories/GHSA-3ppc-4f35-3m26 minimatch has ReDoS: matchOne() combinatorial backtracking via multiple non-adjacent GLOBSTAR segments - https://github.com/advisories/GHSA-7r86-cg39-jmmj minimatch ReDoS: nested *() extglobs generate catastrophically backtracking regular expressions - https://github.com/advisories/GHSA-23c5-xmqv-rm74 fix available via `npm audit fix` node_modules/minimatch ``` This PR bumps version of `minimatch` to 3.1.5, which fixes the vulnerability ``` sdedic@sdedic-nb4$ npm audit --omit=dev found 0 vulnerabilities ``` Note that there are more vulnerabilities introduced by `mocha`, as it depends not only on `minimatch` (in a vulnerable version), but also on serialize-javascript. Cannot be really addressed at this moment, as `mocha` even in its 12.0.0-beta2 (the latest public beta release) still uses vulnerable dependencies. An option would be to make version override, but as `mocha` is only a devDependency and is not shipped, I've decided to fix just the minimatch . -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected] For further information about the NetBeans mailing lists, visit: https://cwiki.apache.org/confluence/display/NETBEANS/Mailing+lists
