Security vulnerability in Inky

A security vulnerability has been flagged in the braces package.

The issue was raised in the Inky repo: https://github.com/foundation/inky/issues/120
A PR has been opened to address it: https://github.com/foundation/inky/pull/121

Could someone take a look? I’ve included a quick glance for context below:


Dependabot has recently been natively pulled into Github and is flagging braces package as a security vulnerability. This is a dependency of vinyl-fs and has been flagged in issue #120

Proposal

Update vinyl-fs to 3.0.3. This updates the glob-stream dependency to 6.1.0, which removes the dependency on micromatch and braces which has the vulnerability.

Other uses of braces are using newer versions :+1:

Context

Issue #120

Hello Inky maintaining team,

I started using Inky in a project and running npm audit I realised that there is a vulnerability in a dependency chain. Here is the audit result of project using inky@^1.3.7:

┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low           │ Regular Expression Denial of Service                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ braces                                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=2.3.1                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ inky                                                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ inky > vinyl-fs > glob-stream > micromatch > braces          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/786                             │
└───────────────┴──────────────────────────────────────────────────────────────┘

I was looking for the best approach to fix that and seems that updating vinyl-fs to 3.0.* will do the trick: every other 2.* versions use a vulnerable version of braces at the end, and 3 doesn’t. Since it’s a major update I suppose the team need to check if there’s some change to do to make it still working.

If possible, I can contribute with code too, since I’m interested on see this working in a project that have a vulnerabilities check at their pipeline.

Closing as duplicate of the GitHub issue.