cpy has transitive dependencies with a CVE vulnerability #98
Description
cpy depends on globby @ ^12.0.2. Following the dependency chain, this also pulls in globby @ 9.2.0. That version of globby depends on fast-glob which depends on glob-parent at a specific version with a vulnerability.
| +-- globby@9.2.0
| | +-- @types/glob@7.2.0
| | | +-- @types/minimatch@3.0.5
| | | `-- @types/node@16.11.9
| | +-- array-union@1.0.2
| | | `-- array-uniq@1.0.3
| | +-- dir-glob@2.2.2
| | | `-- path-type@3.0.0
| | | `-- pify@3.0.0
| | +-- fast-glob@2.2.7
| | | +-- @mrmlnc/readdir-enhanced@2.2.1
| | | | +-- call-me-maybe@1.0.1
| | | | `-- glob-to-regexp@0.3.0
| | | +-- @nodelib/fs.stat@1.1.3
| | | +-- glob-parent@3.1.0 <---
| | | | +-- is-glob@3.1.0
| | | | | `-- is-extglob@2.1.1 deduped
| | | | `-- path-dirname@1.0.2
+-------------+------------------+----------+-------------------+---------------+---------------------------------------+
| LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE |
+-------------+------------------+----------+-------------------+---------------+---------------------------------------+
| glob-parent | CVE-2020-28469 | HIGH | 3.1.0 | 5.1.2 | nodejs-glob-parent: Regular |
| | | | | | expression denial of service |
| | | | | | -->avd.aquasec.com/nvd/cve-2020-28469 |
+-------------+------------------+----------+-------------------+---------------+---------------------------------------+
The latest version of globby has a dependency tree which does pull in a fixed version of glob-parent.