A prompt response to software defects and security vulnerabilities is a top priority for Antora. Even though threats are a fact of life, we take quality assurance seriously with nearly 100% test coverage. This page documents the items that slipped through and how to address them.
Jun 7, 2021
There’s a known security vulnerability in the version of glob-parent that this project pulls in as a transitive dependency of vinyl-fs. We’re aware of this problem and are working to eliminate it from the dependency chain as soon as possible.
The maintainer of vinyl-fs refuses to address the problem, so we will be removing vinyl-fs from Antora entirely. However, this is not a trivial change and will require time to address. We plan to remove it completely in a later release in the 3.0.x release line.
Fortunately, Antora uses glob-parent in a controlled way, so this vulnerability is not an attack vector for Antora. However, we recognize that the notice is annoying and may trigger security protocols for users who see it.