cli/package-lock.json forces insecure minimatch 3.0.4

[davidcopp]

protobuf.js version: 6.11.2

Upon installing the package, the cli subpackage brings in (via transitive dep) minimatch 3.0.4. This version has been flagged with a security vulnerability. A version 3.0.5 (or higher) resolves the vulnerability, but cannot be installed via npm update due to cli/package-lock.json.

At this time the latest 3.x version is minimatch 3.1.2.

• Vulnerability reported by JFrog Xray: XRAY-198521
• Vulnerable Component: minimatch:3.0.4
• Severity: High
• CVSS Score: 4.3 (v2) 7.5 (v3)
• Fix version: 3.0.5
• Summary: minimatch minimatch.js braceExpand() Function Improper Regular Expression DoS
• Description: minimatch contains a flaw in the braceExpand() function in minimatch.js that is triggered as an improper regular expression is used to match patterns for brace expansion. This may allow a context-dependent attacker to hang or slow down a Node process using the library.

# in a dummy 't' project where protobufjs is the only installed package...

$ npm ls minimatch
t@1.0.0 (...omitted path...)/t
└── (empty)

$ cd node_modules/protobufjs/cli
$ npm ls minimatch
cli@6.9.0 (...omitted path...)/t/node_modules/protobufjs/cli
└─┬ tmp@0.2.1
  └─┬ rimraf@3.0.2
    └─┬ glob@7.1.6
      └── minimatch@3.0.4

[hi-artem]

Maintainers, any update on this?

[perez-rob]

i just got flagged that one of my repo's had this and now I can't see that repo anymore. Does GH delete repos with such vulnerabilities?