Vulnerability Identified in the dependency glob npm package

[kkpranesh]

Missing Release of Resource after Effective Lifetime
Vulnerable module
inflight
Introduced through
sequelize-typescript@2.1.6 > glob@7.2.0 > inflight@1.0.6
Fixed in
glob@9.0

Fix: Update the glob npm package

[comeonyo]

Hello, I’ve encountered a similar problem related to the outdated version of glob used in sequelize-typescript.

Here are the details:

When running npm install, I receive multiple warnings about deprecated versions of glob:

npm WARN deprecated glob@7.2.3: Glob versions prior to v9 are no longer supported
npm WARN deprecated glob@7.2.0: Glob versions prior to v9 are no longer supported

After investigating, I found that sequelize-typescript@2.1.6 depends on glob@7.2.0:

$ npm ls glob
├─┬ sequelize-typescript@2.1.6
│ └── glob@7.2.0

The issue with outdated glob is critical as versions prior to v9 are no longer supported and may cause compatibility or security concerns. Additionally, warnings like these can clutter the installation process and make debugging more difficult for teams.

Would it be possible to update the dependency on glob to a more recent version (v9 or higher)? This would help prevent deprecation warnings and ensure better support for downstream projects.

[avez-fsd]

Having similar issue, getting the below warning from inflight.

This module is not supported, and leaks memory. Do not use it. Check out lru-cache if you want a good and tested way to coalesce async requests by a key value, which is much more comprehensive and powerful.

[luanxuechao]

HI @WikiRik could you help take a look?

[brandon-philpot]

I was faced with the same issue, and after searching, it appears they will not fix the inflight module issue because then they would no longer support Node 10. But isn't that the wrong way of thinking? Node 10 is EOL April 30, 2021. Shouldn't the project aim to upgrade and be compliant with the latest versions? Unless there is a viable alternative, even major projects like NestJS suggest using this package.

[nhuphuoc-bic]

I've faced the same issue. Please upgrade glob version

[andres-flores-espol]

I agree. They should specify in the engine that they now support node >=16. Since node 14 is also EOL, it shouldn't even matter. Developers could also continue using the current version of sequelize-typescript for their environments below node16.