andrewrk
[Security] Update rimraf to 2.5.3
minimatch <=3.0.1 is vulnerable to a Regex Denial of Service attack https://nodesecurity.io/advisories/118
node-mv depends on rimraf which depends on glob which depends on minimatch which has the vulnerability.
Please bump rimraf from ~2.4.0 to >=2.5.3 to resolve this vulnerability
https://github.com/isaacs/minimatch/commit/6944abf9e0694bd22fd9dad293faa40c2bc8a955 https://github.com/isaacs/node-glob/commit/f0f0872b660d83b1986cd1dd16ec4808fa183adc https://github.com/isaacs/rimraf/commit/9e2c3102182f65bda76ca4051663784dd2db05e8
Hello @andrewrk / @cscott / @deestan / @mcandre. Any way we can get this update? Preferably to a more recent version of rimraf. In our case, minimatch fixed our vulnerability in v3.0.5 and rimraf v2.7.1 has the necessary updates for us to pick up the fix, which will also resolve the request from @rosskukulinski.
Please submit a tested security patch.
Another option involves publishing a patched fork of this dependency package, and then publishing a patched downstream package. Had to do that many times for Node projects lacking proactive maintainers.
Another option is to just ignore this warning, since it's not actually a vulnerability.
Being able to DOS yourself by providing commands to this package is not an attack.
@mcandre it's a quite good posture, actually. Most CVEs in the npm ecosystem are false positives, and since I'm responsible for well over 10% of npm's entire download traffic, my security postures are more thoroughly battle-tested than most, including this one.
Thank you all for the fast response. This is the minimatch issue I was looking at, which in turn was fixed by their brace-expansion dependency: https://security.snyk.io/vuln/npm:brace-expansion:20170302 https://github.com/isaacs/minimatch/commit/a8763f4388e51956be62dc6025cec1126beeb5e6
I'm also leaning on this being a warning and not necessarily a vulnerability.