Skip to content

Pinned version of tempy has vulnerable transitive dependency #177

Description

@adambullmer

Looks like tempy is on a strict version 1.0.1 in this project's package.json. As a result, this tree is the maximum version of glob that can be upgraded safely while respecting all the other package's constraints.

├─ root-package
│  └─ semantic-release-monorepo@npm:8.0.2 [0d2e1] (via npm:^8.0.2 [38627])
│     └─ tempy@npm:1.0.1 (via npm:1.0.1)
│        └─ del@npm:6.1.1 (via npm:^6.0.0)
│           └─ rimraf@npm:3.0.2 (via npm:^3.0.2)
│              └─ glob@npm:7.2.3 (via npm:^7.1.3)

The CVE that this version of glob is affected by is CVE-2025-64756.

I'm not sure if there was a technical reason that it was pinned, but at this point there are 2 major version increases for tempy. I haven't exhausted them all but, I have confirmed that if this library upgraded to the latest, this particular CVE would go away. I'd be happy to make a PR to migrate this dependency, but wanted to check first that there wasn't a technical reason for this particular pin.

ETA:

  • I looked into the loose 2.0 release of tempy, and the same glob version (by way of the same del version) would be included, so 3.x would be necessary.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions