Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Vulnerable Dependency - braces #1314

Closed
madhavsarpalJG opened this issue May 17, 2024 · 4 comments
Closed

Vulnerable Dependency - braces #1314

madhavsarpalJG opened this issue May 17, 2024 · 4 comments

Comments

@madhavsarpalJG
Copy link

  • chokidar uses braces which has a vulnerability of 7.5, CVE-2024-4068. Can we use an alternative or are waiting for a fix from them?
@paulmillr
Copy link
Owner

paulmillr commented May 17, 2024
edited

  1. It is not a real vulnerability. CVE rating 7.5 is nonsense. More like 2.5
  2. They can’t even produce a working exploit. Some folks have found some slowdown for 100 million braces, which is nonsense. Would you personally build such regex?
  3. There are no other packages to switch. They are either esm only, or very slow, or potentially dangerous with unknown maintainers. They can upload malware to chokidar users
  4. See thread for the context. We are waiting to either retract the cve, fix the issue, etc It is another shit that got cve [BUG] Vulnerabilities Found in Micromatch and Braces micromatch/micromatch#243

@remy remy mentioned this issue May 19, 2024
Closed
@Swiddis Swiddis mentioned this issue May 20, 2024
Closed
@alan-agius4 alan-agius4 mentioned this issue May 21, 2024
Closed
1 task
@thomashohn thomashohn mentioned this issue May 21, 2024
Closed
@thomashohn
Copy link

So are you planing on doing a release 3.6.1 with braces 3.0.3?

@paulmillr
Copy link
Owner

@thomashohn no.

Is there something in "we are using version ranges" phrase you don't understand?

@paulmillr paulmillr closed this as not planned Won't fix, can't repro, duplicate, stale May 22, 2024
@thomashohn
Copy link

No sir

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@paulmillr @thomashohn @madhavsarpalJG