how to solve this npm glob-parent problem

Question

glob-parent  <5.1.2
Severity: moderate
Regular expression denial of service - https://npmjs.com/advisories/1751
fix available via `npm audit fix`
node_modules/watchpack-chokidar2/node_modules/glob-parent
  chokidar  1.0.0-rc1 - 2.1.8
  Depends on vulnerable versions of glob-parent
  node_modules/watchpack-chokidar2/node_modules/chokidar
    watchpack-chokidar2  *
    Depends on vulnerable versions of chokidar
    node_modules/watchpack-chokidar2
      watchpack  1.7.2 - 1.7.5
      Depends on vulnerable versions of watchpack-chokidar2
      node_modules/watchpack

I just install cookie-parser to cmd. As mentioned above, there were 4 moderates. My glob-parent -v is currently 7.19.1 It doesn't work 'npm audit' and 'npm audit fix' How should I do?

Answer 1

In your package.json, add this target under scripts:

"preinstall": "npx npm-force-resolutions"

Then add this below the scripts:

"resolutions": { "glob-parent": "^6.0.1" }

One thing, I don't know if any dependent packages that use an older version will break because of 6.0.1.

Answer 2

I'm the person who wrote the fix for glob-parent that landed in [email protected]. There are (at least) three ways to address this.

First possibility: Update from watchpack version 1 to watchpack version 2. watchpack version 2 does not depend on a vulnerable version of glob-parent. Unfortunately, there is no CHANGELOG file in the watchpack repository, so you'll have to find the relevant breaking changes some other way. Maybe if you have excellent test coverage, you can rely on that. Or if your project is relatively new, then simply building it with watchpack version 2 to begin with will be the way to go.

The second possibility is that if watchpack is a development dependency only and not something used by the user-facing part of your app, then you probably don't need to worry about this at all and can ignore the message. I don't recommend this, but I also have to admit that npm audit warnings can be a little bit boy-crying-wolf sometimes.

The third option is to patch your vulnerable glob-parent with the fix. However, you have to know what your doing (particularly how npm works) to not shoot yourself in the foot and end up undoing the fix without realizing it. So this is also not something I recommend.

If you can update watchpack to 2.x, that is the way to go.