Vulnerability in shelljs dependency: CWE-772: Missing Release of Resource after Effective Lifetime

[Gil-Littman]

ShellJS version (the most recent version/Github branch you see the bug on):

0.8.5

Description of the bug:

A transitive dependency of shelljs introduces a vulnerability. This can be solved by updating the glob version to 9.0.0 or higher.

[nfischer]

I understand that this package is a transitive dependency, but do you know if the inflight vulnerability actually be exploited in glob? Snyk has a bad habit of flagging any "vulnerability" as something which needs fixing, without consideration of whether the warning actually applies to the downstream projects.

Unfortunately, glob@9 is not compatible with node v8, which is compatibility ShellJS still supports. Fixing this is not a trivial package upgrade.

[nfischer]

#828 might be a possible path forward. I originally filed that ticket because fast-glob seemed to have nice perf wins, but switching to that would also mean we can avoid this dependency. I think it's mostly a drop-in replacement, but I see a few behavior differences around symlinks (both broken and non-broken). The behavior differences are clear since several tests are broken.

If someone wants to start a PR to move to fast-glob, let me know. I'm happy to review and provide guidance on the path forward.

[Gil-Littman]

I don't know that the vulnerability is exploitable in glob (probably not), but I also don't know that it isn't.
I was hoping this would be a straight forward fix, I'm sorry to hear it isn't.
I'll keep an eye on #828

Thanks for your quick response.

[nfischer]

I think the switch to fast-glob was more straightforward than expected. I wrote up #1153 to do this.

Unfortunately we currently expose globOptions as part of our public API. I think deprecating this is the best path forward (I don't think anyone uses this API), however if there's a need for this then we may be able to manually convert node-glob parameters into the corresponding fast-glob parameters. https://www.npmjs.com/package/fast-glob#compatible-with-node-glob has a nice conversion table.