Description
Is there an existing issue for this?
- I have searched the existing issues
This issue exists in the latest npm version
- I am using the latest npm
Current Behavior
There are at least 2 dependencies that are out of date and still reference [email protected] or below which have a CVE issues and are used by Lerna/Lerna-Lite (I maintain the latter)
This one should be at 5.0.3 to get Glob 13.x
cli/workspaces/arborist/package.json
Line 9 in 58afdcc
then this one should be at 20.0.3 to get Glob 13.x
cli/workspaces/arborist/package.json
Line 18 in 58afdcc
I know that I can simply force the lock file to update but it's a little hard when it's transitive dependencies like this one. So in Lerna/Lerna-Lite (I use and maintain the latter), then when I use it in other monorepos, I still see this and Renovate can't fix it by itself and that is caused by @npmcli/arborist
Transitive dependency glob 11.0.3 is introduced via
@lerna-lite/cli 4.9.4 ... glob 11.0.3
@lerna-lite/publish 4.9.4 ... glob 11.0.3
@lerna-lite/watch 4.9.4 ... glob 11.0.3Expected Behavior
Arborist should be updated to latest dependencies so that we could get rid of any CVE. This can be fixed by simply updating the 2 deps I mentioned above
Steps To Reproduce
- In any environment
- See error...
Transitive dependency glob 11.0.3 is introduced via
@lerna-lite/cli 4.9.4 ... glob 11.0.3
@lerna-lite/publish 4.9.4 ... glob 11.0.3
@lerna-lite/watch 4.9.4 ... glob 11.0.3Environment
; node bin location = C:\Program Files\nodejs\node.exe
; node version = v22.19.0
; npm local prefix = C:\github
; npm version = 10.9.0