New breaking release of vinyl-fs?

[jpage-godaddy]

We have a project that makes use of vinyl-fs, which has been great. Unfortunately, our company, like many others, have policies in place around CVE's, and although the CVE for glob-parent may be innocuous, we still have a policy of eliminating those pesky warnings.

I understand that you have a node compatibility matrix, and updating glob-stream to the latest glob-parent may break the compatibility you'd like for projects like gulp, but would you be receptive to new compatibility-breaking major releases of glob-stream and vinyl-fs that bring in the fixed version of glob-parent? That way gulp@4 could stay where it is, but vinyl-fs can move on since it's so useful on its own. Or would you rather entertain a backport of the glob-parent fix to 3.x? I am willing to help but want to make sure it aligns with your plans.

[yocontra]

@jpage-godaddy The easiest avenue would be for glob-parent to backport the fix, so it would be resolved automatically for new installs and when doing npm upgrade. We do have plans for gulp 5 to adjust the compatibility matrix but it isn't something we've set a number on yet. As a workaround you can use the resolutions in your package.json to use the new glob-parent, assuming there were no breaking API changes and their major bump was only to drop old node versions.

Looking at this we may need to backport to a few old versions:

Final note - glad you found vinyl-fs useful on it's own!

[DullReferenceException]

Great, thanks for being open to this. It looks like the ReDOS fix is pretty simple. I went ahead and created a forked branch, but I think before this can be pull requested I'd need a 3.x branch on your end. Here's the diff:

https://github.com/gulpjs/glob-parent/compare/v3.1.0...DullReferenceException:audit-fixes-3.x?expand=1

(sorry for the churn... had some confusion on subsequent discussions. Looks like the latest 5.x commit fixes the ReDOS, but there was a followup discussion that the actual tests and current behavior with the regex were incorrect, but the fix for that was in a 6.x breaking release. I've reverted back to the pure ReDOS fix without the behavior changes of 6.x)

[agerard-godaddy]

@gulpjs any more thoughts on this? Either back-porting the ReDOS fix to glob-parent? Or cutting a new major version of vinyl-fs?

vinyl-fs is great, and while yea, the CVE may seem silly for what vinyl-fs is used for, it seems a straight-forward enough fix to help get devs passed these alarms we're dealing with.