日記

今日書いたコード

TypeScriptに移行する by Gurrium · Pull Request #3 · Gurrium/tcx-to-altitude-image · GitHub

感想

npm auditするとglob-parentの脆弱性で怒られるんだけど、開発環境でのみ使われるライブラリなので問題ないということらしい。*1gulpのIssueを見に行くと、開かれては閉じられていて大変そう。*2怒られるのが気持ち悪いというのはわかる。

❯ npm audit
# npm audit report

glob-parent  <5.1.2
Severity: high
glob-parent before 5.1.2 vulnerable to Regular Expression Denial of Service in enclosure regex - https://github.com/advisories/GHSA-ww39-953v-wcq6
fix available via `npm audit fix --force`
Will install gulp@3.9.1, which is a breaking change
node_modules/glob-parent
  chokidar  1.0.0-rc1 - 2.1.8
  Depends on vulnerable versions of glob-parent
  node_modules/chokidar
    glob-watcher  >=3.0.0
    Depends on vulnerable versions of chokidar
    node_modules/glob-watcher
      gulp  >=4.0.0
      Depends on vulnerable versions of glob-watcher
      Depends on vulnerable versions of vinyl-fs
      node_modules/gulp
  glob-stream  5.3.0 - 6.1.0
  Depends on vulnerable versions of glob-parent
  node_modules/glob-stream
    vinyl-fs  >=2.4.2
    Depends on vulnerable versions of glob-stream
    node_modules/vinyl-fs
      gulp-typescript  >=2.13.0
      Depends on vulnerable versions of vinyl-fs
      node_modules/gulp-typescript

7 high severity vulnerabilities

To address all issues (including breaking changes), run:
  npm audit fix --force