Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

minimatch security vulnerability in CLI - only way to fix it is to delete cli folder contents #1698

Closed
diomedtmc opened this issue Mar 15, 2022 · 1 comment · Fixed by #1704
Closed

minimatch security vulnerability in CLI - only way to fix it is to delete cli folder contents #1698

diomedtmc opened this issue Mar 15, 2022 · 1 comment · Fixed by #1704

Comments

@diomedtmc
Copy link

diomedtmc commented Mar 15, 2022
edited
Loading

protobuf.js version: 6.11.2

Expected Behavior: Protobuf.js passes all security scans and vulnerability checks.
Actual Behavior: It fails our scans repeatedly because of a known minimatch 3.0.4 (or lower) security vulnerability.

Additional notes: Because of the way the cli is packaged (lock file + node_modules folder), we are unable to cleanse the problem through conventional means. (npm overrides or yarn resolutions for instance). We do not use the CLI for production runtimes, but because of the way protobufjs is packaged, the cli and its vulnerability end up in the production image.
@diomedtmc diomedtmc changed the title minimatch security vulnerable in CLI - only way to fix it is to delete cli folder minimatch security vulnerability in CLI - only way to fix it is to delete cli folder Mar 16, 2022
@diomedtmc diomedtmc changed the title minimatch security vulnerability in CLI - only way to fix it is to delete cli folder minimatch security vulnerability in CLI - only way to fix it is to delete cli folder contents Mar 16, 2022
@agustingabiola
Copy link

Follow this one: #1696 and upvote

richgerrard added a commit to richgerrard/protobuf.js that referenced this issue Mar 31, 2022
@richgerrard
Patch minimatch vulnerability
6694617 
If I follow this, glob packages minimatch.  Minimatch released a fix, glob also has a newer build, picking this up should pick up that.
Fixes protobufjs#1696
Fixes protobufjs#1697
Fixes protobufjs#1698
@richgerrard richgerrard mentioned this issue Mar 31, 2022
Merged
alexander-fenster added a commit that referenced this issue May 20, 2022
@richgerrard @alexander-fenster
fix(deps): patch minimatch vulnerability (#1704)
bac61b8 
* Patch minimatch vulnerability

If I follow this, glob packages minimatch.  Minimatch released a fix, glob also has a newer build, picking this up should pick up that.
Fixes #1696
Fixes #1697
Fixes #1698

* chore: update lockfile

Co-authored-by: Alexander Fenster <fenster@google.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix(deps): patch minimatch vulnerability richgerrard/protobuf.js
2 participants
@agustingabiola @diomedtmc