protobuf.js version: 6.11.2
Upon installing the package, the cli subpackage brings in (via transitive dep) minimatch 3.0.4. This version has been flagged with a security vulnerability. A version 3.0.5 (or higher) resolves the vulnerability, but cannot be installed via npm update due to cli/package-lock.json.
At this time the latest 3.x version is minimatch 3.1.2.
- Vulnerability reported by JFrog Xray: XRAY-198521
- Vulnerable Component: minimatch:3.0.4
- Severity: High
- CVSS Score: 4.3 (v2) 7.5 (v3)
- Fix version: 3.0.5
- Summary: minimatch minimatch.js braceExpand() Function Improper Regular Expression DoS
- Description: minimatch contains a flaw in the braceExpand() function in minimatch.js that is triggered as an improper regular expression is used to match patterns for brace expansion. This may allow a context-dependent attacker to hang or slow down a Node process using the library.
# in a dummy 't' project where protobufjs is the only installed package...
$ npm ls minimatch
[email protected] (...omitted path...)/t
└── (empty)
$ cd node_modules/protobufjs/cli
$ npm ls minimatch
[email protected] (...omitted path...)/t/node_modules/protobufjs/cli
└─┬ [email protected]
└─┬ [email protected]
└─┬ [email protected]
└── [email protected]
protobuf.js version: 6.11.2
Upon installing the package, the cli subpackage brings in (via transitive dep) minimatch 3.0.4. This version has been flagged with a security vulnerability. A version 3.0.5 (or higher) resolves the vulnerability, but cannot be installed via npm update due to cli/package-lock.json.
At this time the latest 3.x version is minimatch 3.1.2.