posibility of a 4.15.14 release for @vue/cli-plugin-eslint with updated globby

[evansrobert]

Version

4.5.13

What is expected?

No warning

What is actually happening?

Warning

---

Subject of the issue

@vue/cli-plugin-eslint@4.5.13 requires glob-parent@3.1.0, which has a security problem (see: CVE-2020-28469):
@vue/cli-plugin-eslint@4.5.13 ➔ globby@9.2.0 ➔ fast-glob@2.2.7 ➔ glob-parent@3.1.0

I do not know if this vulnerability actually affects @vue/cli-plugin-eslint, but it will show up in security reports about dependencies. Since a large number of developers use @vue/cli-plugin-eslint@4.5.13(259,731 downloads per week), is there any posibility that you could release an update version for 4.5.* (ie 4.15.14) that introduces a patched version(>=5.1.2) of glob-parent?

In @vue/cli-plugin-eslint@4.5.14, maybe you can perform the following update:
globby ^9.2.0 ➔ ^10.0.0
where globby@10.0.0 ➔ fast-glob@3.2.7 ➔ glob-parent@5.1.2 and glob-parent@5.1.2 has fixed the vulnerability CVE-2020-28469.
Thank you for your help and welcome to share other ways to resolve the issue.

[haoqunjiang]

It's not a real vulnerability to Vue CLI users. See https://overreacted.io/npm-audit-broken-by-design/
Please ignore the report or use yarn resolutions or npm-force-resolutions