Hi Brandon, thanks for your post. I'm trying to fix the same vulnerability in your example, braces, which I have as a four-level-deep dependency, without any success. npm audit reports it as having the path cpx > chokidar > anymatch > micromatch > braces and I've specifically installed the latest version of all of those packages:
Even so, npm audit continues to report the vulnerability. I've deleted node_modules and package-lock.json and run npm install again, but it still doesn't resolve the issue. Is there something else that I need to do? I'm pretty much at my wits' end at this point.
Typically, I found a workaround after writing the above. It turns out that cpx is unmaintained. There's a fork called cpx2 that works as a drop-in replacement and resolves the vulnerability. Would the solution to this problem otherwise have been to get cpx to update its dependencies, though?
For further actions, you may consider blocking this person and/or reporting abuse
We're a place where coders share, stay up-to-date and grow their careers.
Hi Brandon, thanks for your post. I'm trying to fix the same vulnerability in your example,
braces
, which I have as a four-level-deep dependency, without any success.npm audit
reports it as having the pathcpx > chokidar > anymatch > micromatch > braces
and I've specifically installed the latest version of all of those packages:Even so,
npm audit
continues to report the vulnerability. I've deletednode_modules
andpackage-lock.json
and runnpm install
again, but it still doesn't resolve the issue. Is there something else that I need to do? I'm pretty much at my wits' end at this point.Typically, I found a workaround after writing the above. It turns out that cpx is unmaintained. There's a fork called
cpx2
that works as a drop-in replacement and resolves the vulnerability. Would the solution to this problem otherwise have been to getcpx
to update its dependencies, though?