Hi Brandon, thanks for your post. I'm trying to fix the same vulnerability in your example, braces, which I have as a four-level-deep dependency, without any success. npm audit reports it as having the path cpx > chokidar > anymatch > micromatch > braces and I've specifically installed the latest version of all of those packages:
Even so, npm audit continues to report the vulnerability. I've deleted node_modules and package-lock.json and run npm install again, but it still doesn't resolve the issue. Is there something else that I need to do? I'm pretty much at my wits' end at this point.
Typically, I found a workaround after writing the above. It turns out that cpx is unmaintained. There's a fork called cpx2 that works as a drop-in replacement and resolves the vulnerability. Would the solution to this problem otherwise have been to get cpx to update its dependencies, though?
Log in to continue
We're a place where coders share, stay up-to-date and grow their careers.
Hi Brandon, thanks for your post. I'm trying to fix the same vulnerability in your example,
braces, which I have as a four-level-deep dependency, without any success.npm auditreports it as having the pathcpx > chokidar > anymatch > micromatch > bracesand I've specifically installed the latest version of all of those packages:Even so,
npm auditcontinues to report the vulnerability. I've deletednode_modulesandpackage-lock.jsonand runnpm installagain, but it still doesn't resolve the issue. Is there something else that I need to do? I'm pretty much at my wits' end at this point.Typically, I found a workaround after writing the above. It turns out that cpx is unmaintained. There's a fork called
cpx2that works as a drop-in replacement and resolves the vulnerability. Would the solution to this problem otherwise have been to getcpxto update its dependencies, though?