There's a moderate vulnerability alert for glob-parent
, which tsup
depends on transitively through chokidar
: GHSA-cj88-88mr-972w
> npm install --save-dev tsup && npm audit
added 89 packages, and audited 90 packages in 1s
11 packages are looking for funding
run `npm fund` for details
5 moderate severity vulnerabilities
To address all issues, run:
npm audit fix
Run `npm audit` for details.
# npm audit report
glob-parent <6.0.1
Severity: moderate
glob-parent before 6.0.1 vulnerable to Regular Expression Denial of Service (ReDoS) - https://github.com/advisories/GHSA-cj88-88mr-972w
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/glob-parent
chokidar >=1.0.0-rc1
Depends on vulnerable versions of glob-parent
node_modules/chokidar
tsup >=3.0.0
Depends on vulnerable versions of chokidar
Depends on vulnerable versions of globby
node_modules/tsup
fast-glob *
Depends on vulnerable versions of glob-parent
node_modules/fast-glob
globby >=8.0.0
Depends on vulnerable versions of fast-glob
node_modules/globby
5 moderate severity vulnerabilities
To address all issues (including breaking changes), run:
npm audit fix --force
Dependabot and npm audit fix
cannot address this, so I'd love to have an up-to-date way to install tsup
with a clean npm audit
. π
Pay now to fund the work behind this issue.
Get updates on progress being made.
Maintainer is rewarded once the issue is completed.
You're funding impactful open source efforts
You want to contribute to this effort
You want to get funding like this too