Security vulnerability in Inky

A security vulnerability has been flagged in the braces package.

The issue was raised in the Inky repo:
A PR has been opened to address it:

Could someone take a look? I’ve included a quick glance for context below:

Dependabot has recently been natively pulled into Github and is flagging braces package as a security vulnerability. This is a dependency of vinyl-fs and has been flagged in issue #120


Update vinyl-fs to 3.0.3. This updates the glob-stream dependency to 6.1.0, which removes the dependency on micromatch and braces which has the vulnerability.

Other uses of braces are using newer versions :+1:


Issue #120

Hello Inky maintaining team,

I started using Inky in a project and running npm audit I realised that there is a vulnerability in a dependency chain. Here is the audit result of project using inky@^1.3.7:

│ Low           │ Regular Expression Denial of Service                         │
│ Package       │ braces                                                       │
│ Patched in    │ >=2.3.1                                                      │
│ Dependency of │ inky                                                         │
│ Path          │ inky > vinyl-fs > glob-stream > micromatch > braces          │
│ More info     │                             │

I was looking for the best approach to fix that and seems that updating vinyl-fs to 3.0.* will do the trick: every other 2.* versions use a vulnerable version of braces at the end, and 3 doesn’t. Since it’s a major update I suppose the team need to check if there’s some change to do to make it still working.

If possible, I can contribute with code too, since I’m interested on see this working in a project that have a vulnerabilities check at their pipeline.

Closing as duplicate of the GitHub issue.