Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

npm install warns to update minimatch to avoid RegExp DoS issue #322

Open
sudheesh001 opened this issue Aug 18, 2016 · 3 comments
Open

npm install warns to update minimatch to avoid RegExp DoS issue #322

sudheesh001 opened this issue Aug 18, 2016 · 3 comments

Comments

@sudheesh001
Copy link 

$ npm install -g jake
npm WARN deprecated [email protected]: Please update to minimatch 3.0.2 or higher to avoid a RegExp DoS issue
npm WARN deprecated [email protected]: Please update to minimatch 3.0.2 or higher to avoid a RegExp DoS issue
C:\Users\susingan\AppData\Roaming\npm\jake -> C:\Users\susingan\AppData\Roaming\npm\node_modules\jake\bin\cli.js
C:\Users\susingan\AppData\Roaming\npm
`-- [email protected]
  +-- [email protected]
  +-- [email protected]
  | +-- [email protected]
  | +-- [email protected]
  | `-- [email protected]
  +-- [email protected]
  | +-- [email protected]
  | `-- [email protected]
  +-- [email protected]
  | +-- [email protected]
  | `-- [email protected]
  `-- [email protected]
@welearnednothing
Copy link
Contributor

Does anyone know if updating to Minimatch 3.x will introduce any breaking changes? The versions is use are pretty old and I don't know if the project is following semantic versioning.

On Aug 17, 2016, at 10:23 PM, Sudheesh Singanamalla [email protected] wrote:

$ npm install -g jake
npm WARN deprecated [email protected]: Please update to minimatch 3.0.2 or higher to avoid a RegExp DoS issue
npm WARN deprecated [email protected]: Please update to minimatch 3.0.2 or higher to avoid a RegExp DoS issue
C:\Users\susingan\AppData\Roaming\npm\jake -> C:\Users\susingan\AppData\Roaming\npm\node_modules\jake\bin\cli.js
C:\Users\susingan\AppData\Roaming\npm
-- [email protected] +-- [email protected] +-- [email protected] | +-- [email protected] | +-- [email protected] |-- [email protected]
+-- [email protected]
| +-- [email protected]
| -- [email protected] +-- [email protected] | +-- [email protected] |-- [email protected]
`-- [email protected]


You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub, or mute the thread.

@mde
Copy link
Contributor

mde commented Sep 25, 2016

The change from node-glob, (which was a C lib) to minimatch wasn't all that traumatic. And we do have pretty good test coverage. We should know pretty quickly if there is major breakage. Would love a PR that upgrades this!

@welearnednothing welearnednothing mentioned this issue Sep 27, 2016
Merged
@evansjarom11
Copy link

This vulnerability still exists. Please update dependency to 3.0.5 or higher. See: CVE-2022-3517

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@mde @welearnednothing @sudheesh001 @evansjarom11