Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

glob-parent before 5.1.2 vulnerable to Regular Expression Denial of Service in enclosure regex

Tags:

npm

npm-install

This stack overflow answer didn't work for me (how to solve this npm glob-parent problem).

Now the blob-parent needs to upgrade to version 6.0.1 or higher.

When I do npm ls glob-parent, this is what it looks.

enter image description here

Some of the glob-parent needs to be 6.0.1 or higher but npm install [email protected] won't upgrade all of glob-parent.

How can I upgrade the glob-parent? or how can I address glob-parent before 5.1.2 vulnerable to Regular Expression Denial of Service in enclosure regex issue?

Attempts

I tried

npm audit fix --force

npm install glob-parent

npm install [email protected]

like image 339
Happy1234 Avatar asked Oct 18 '25 12:10

Happy1234

1 Answers

After npm install [email protected], if "glob-parent": "^6.0.1" is in your projects package.json; you can add a section below the dependency sections that contain the plugin depending on the lower version in npm audit called "overrides" like such:

"dependencies": {
  ...
},  
"devDependencies": {
  "@babel/cli": "^7.13.10",
  "glob-parent": "^6.0.1"
},
"overrides": {
  "glob-parent": "$glob-parent"
}

This will tell the plugin to use the local version of the dependency instead of the one specified in it's own package, but you may have to tinker with finding a version that all your plugins play along with.

This is because this happens based on the plugins package.json dependency. If they neglect to prefix the dependent version (such as ^6.0.1 for example) then they are telling any project importing them not to go above the version specified.. This could be because newer builds break the plugin, however it could have been accidental or simply because it has only been tested with versions up to the one it specifies. If the package has not been updated in a while, newer build may have resolved breaks from previous newer builds also though.

Edit: Also be sure the local dependency is in the same dependency group as the plugin relying on it.. for example.. if the dependency with the lower version is in dependencies and not devDependencies, then you should include the local version of the plugin you are overriding under dependencies as well.

like image 198
theZ3r0CooL Avatar answered Oct 22 '25 00:10

theZ3r0CooL

Sign in to Comment

Related questions

How to compress PNG file using sharp package?
react-scripts build a file into `build` folder, from a different folder than `public`
How to use dependabot secrets in GitHub CI workflow
Determine NPM package's source url from npmjs.org's registry?
vue-cli-service: Permission denied while running npm run serve
NodeJS - Cannot find module 'spdx-license-ids'
Timeout trying to fetch resolutions from npx-force-resolutions
Is there any NodeJS bcrypt module that does not rely on node-gyp?
Installing and using js-cookie dependency with npm in Laravel
How to solve ini error for npm
Get email notifications when new version of a package published
installing bootstrap 3 via package.json
GitLab CI/CD shell executor: npm command not found
"create-nx-workspace" command not found (linxus and windows10 problem)
npm publish with git information instead of version from package.json
How can I fix this error with installing packages using npm?
"Error: spawn git ENOENT" when running react-scripts test
How to use the 'main' parameter in package.json in TypeScript project?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!