build: update dependency picomatch to v4.0.4 (21.2.x)#32847
build: update dependency picomatch to v4.0.4 (21.2.x)#32847alan-agius4 merged 1 commit intoangular:21.2.xfrom
Conversation
See associated pull request for more information.
angular-robot
added
action: merge
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request updates the picomatch dependency from version 4.0.3 to 4.0.4 across several package.json files within the Angular ecosystem, including packages/angular/build/package.json, packages/angular_devkit/build_angular/package.json, and packages/angular_devkit/core/package.json. The pnpm-lock.yaml file has also been updated to reflect this dependency upgrade and its transitive effects on packages like fdir and tinyglobby. There are no review comments to address.
|
I would like to see this merged in. We have some CI/CD vulnerability scanners that are raising issues with this. Also, picomatch 4.0.0 - 4.0.3
Severity: high
Picomatch has a ReDoS vulnerability via extglob quantifiers - https://github.com/advisories/GHSA-c2c7-rcm5-vvqj
Picomatch: Method Injection in POSIX Character Classes causes incorrect Glob Matching - https://github.com/advisories/GHSA-3v7f-55p6-f55p
fix available via `npm audit fix --force`
Will install @angular-devkit/build-angular@17.1.4, which is a breaking change
node_modules/picomatch
@angular-devkit/core >=17.2.0-next.0
Depends on vulnerable versions of picomatch
node_modules/@angular-devkit/core
@angular-devkit/architect 0.1000.0-next.0 - 0.1000.0-rc.1 || >=0.1702.0-next.0
Depends on vulnerable versions of @angular-devkit/core
node_modules/@angular-devkit/architect
@angular-devkit/build-webpack >=0.1702.0-next.0
Depends on vulnerable versions of @angular-devkit/architect
node_modules/@angular-devkit/build-webpack
@angular-devkit/schematics >=17.2.0-next.0
Depends on vulnerable versions of @angular-devkit/core
node_modules/@angular-devkit/schematics
@angular/cli 10.0.0-next.0 - 10.0.0-rc.1 || 14.1.0-next.0 - 14.1.0-rc.3 || 17.0.0-next.0 - 17.0.0-next.2 || >=17.2.0-next.0
Depends on vulnerable versions of @angular-devkit/architect
Depends on vulnerable versions of @angular-devkit/core
Depends on vulnerable versions of @angular-devkit/schematics
Depends on vulnerable versions of @schematics/angular
node_modules/@angular/cli
@schematics/angular >=17.2.0-next.0
Depends on vulnerable versions of @angular-devkit/core
Depends on vulnerable versions of @angular-devkit/schematics
node_modules/@schematics/angular |
|
@Stargator It looks like you're running v17 which is out of LTS. Your version won't get the fix. |
|
@JeanMeche, that’s actually how |
|
@alan-agius4 , I see a lot of dependencies are pinned to an exact version instead of a range like ~4.0.4 or ^4.0.4. It seems like it would save the Angular team to allow for at least patch releases. |
|
@Stargator, unfortunately a lot of NPM dependencies do not follow semver and we had a lot of breakages in minors and patch versions over time. So for stability we choose to pin all of our dependencies. |
|
This PR was merged into the repository. The changes were merged into the following branches:
|
4 participants
This PR contains the following updates:
4.0.3→4.0.4Release Notes
micromatch/picomatch (picomatch)
v4.0.4Compare Source
This is a security release fixing several security relevant issues.
What's Changed
Full Changelog: micromatch/picomatch@4.0.3...4.0.4