[CVE-2024-4067] Vulnerability detected in micromatch.braces() #259
Comments
jpsla94
changed the title
|
It looks like this regressed between 4.0.6 — which removed the pattern as part of a4a4dbe — and 4.0.7 (which does not contain this commit). Overall the release of 4.0.7 looks a little strange; the package.json file on master still states 4.0.6. Edit: Looks like 4.0.7 was released based on the v4 branch, which looks to have diverged from master. I have created #260 |
|
Thank you @jacobjmarks. Could kindly update this thread when the issue is fixed? |
|
Hm, there's this 5-year old pinned issue at the top of the issues page. Does it still apply today? |
|
Micromatch doesn't have a pined dependency on braces. if you remove your lock file, you'll get the latest version of braces with the fix |
|
@JeanMeche Which lock file are you talking about? |
|
|
|
If you're using pnpm you can use |
|
Hello, I have the latest version of micromatch 4.0.7 and braces 3.0.3. I updated through override of the dependencies. But the vulnerability still appears on the security report. Any more tips that I can try? |
|
I downgraded to 4.0.6. in the meantime. Will close this topic now. |
|
IIUC
|
|
master is not backwards compatible. it needs to be fixed in backwards compatible way by someone. |
Fair enough.. I naively saw it appeared fixed on Of course, if |
|
5.x is not useful to release, because micromatch is rarely used on its own. It's mostly in other packages and they can't really be bothered to be broken. |
Hello @jonschlinkert,
I am currently using the latest version of micromatch 4.0.7, and I notice the package was flag for a vulnerability for a Regular Expression Denial of Service (ReDos) attack. Located in micromatch.braces() in index.js, because of the pattern ".*".[CVE-2024-4067]
By the way, I have already the latest version of braces installed 3.0.3 in the package.
Is this being look at and addressed?
The text was updated successfully, but these errors were encountered: