Hi Brandon, thanks for your post. I'm trying to fix the same vulnerability in your example, braces, which I have as a four-level-deep dependency, without any success. npm audit reports it as having the path cpx > chokidar > anymatch > micromatch > braces and I've specifically installed the latest version of all of those packages:
Even so, npm audit continues to report the vulnerability. I've deleted node_modules and package-lock.json and run npm install again, but it still doesn't resolve the issue. Is there something else that I need to do? I'm pretty much at my wits' end at this point.
Typically, I found a workaround after writing the above. It turns out that cpx is unmaintained. There's a fork called cpx2 that works as a drop-in replacement and resolves the vulnerability. Would the solution to this problem otherwise have been to get cpx to update its dependencies, though?
For further actions, you may consider blocking this person and/or reporting abuse
We're a place where coders share, stay up-to-date and grow their careers.
Hi Brandon, thanks for your post. I'm trying to fix the same vulnerability in your example,
braces, which I have as a four-level-deep dependency, without any success.npm auditreports it as having the pathcpx > chokidar > anymatch > micromatch > bracesand I've specifically installed the latest version of all of those packages:Even so,
npm auditcontinues to report the vulnerability. I've deletednode_modulesandpackage-lock.jsonand runnpm installagain, but it still doesn't resolve the issue. Is there something else that I need to do? I'm pretty much at my wits' end at this point.Typically, I found a workaround after writing the above. It turns out that cpx is unmaintained. There's a fork called
cpx2that works as a drop-in replacement and resolves the vulnerability. Would the solution to this problem otherwise have been to getcpxto update its dependencies, though?