Several security vulnerabilities in dependency list

[bennycode]

cpx defines a lot of vulnerabile dependencies, such as:

• braces@^1.8.2
• semver-regex@^2.0.0
• glob-parent@^2.0.0

Can you please update these deps? @mysticatea

[nick-keller]

It also uses minimist@1.2.5 which has a critical security issue

[AmirHussain93]

It also uses shell-quote, could you please update it to the latest as soon as possible?

can anyone please look into this?
@mysticatea @k88hudson @igor-toporet @forivall @pdehaan @quilicicf @yassh

[quilicicf]

I wish I could do something but I have no rights on that repository and my one and only PR never got merged 🤷
This repository hasn't seen a change since 2018 anyway, the maintainer probably doesn't receive the notifications anymore...
So either we somehow manage to get @mysticatea to have a look (they seem to still be active on GitHub) or we might have to fork...

[AmirHussain93]

Hi @quilicicf, thanks for the quick reply. Is there any way to inform the owner other than GitHub?

[leschdom]

FYI: For time being we switched to https://www.npmjs.com/package/cpx-fixed mentioned in https://stackoverflow.com/questions/54996035/npm-copy-files-with-cpx-in-postinstall-script/59845967#59845967 - but of course it would be better when the "root" issue is addressed in this repository.

[quilicicf]

I do not know the author unfortunately, so I have no clue what the best channel is to reach them :-(
They didn't share their email on GitHub but it looks like they have a Twitter account with the same handle as on GitHub.
Might be worth it to try I guess.

[douglasg14b]

Sucks that it cant be taken over and community maintained, thus the JS ecosystem churns forward :(