Skip to content
GitLab
Closed
Issue created by Administrator@rootContributor

Dependency on insecure version of braces (Node security advisory 786)

Created by: yhoiseth

Is this a bug report?

Yes.

Did you try recovering your dependencies?

I don't think this step is necessary, due to the error being present in a brand new project.

Which terms did you search for in User Guide?

None.

Environment

Environment Info:

  System:
    OS: macOS 10.14.3
    CPU: x64 Intel(R) Core(TM) i5-4278U CPU @ 2.60GHz
  Binaries:
    Node: 10.15.0 - /usr/local/opt/node@10/bin/node
    Yarn: 1.13.0 - /usr/local/bin/yarn
    npm: 6.4.1 - /usr/local/opt/node@10/bin/npm
  Browsers:
    Chrome: 72.0.3626.109
    Firefox: 65.0
    Safari: 12.0.3
  npmPackages:
    react: ^16.8.2 => 16.8.2 
    react-dom: ^16.8.2 => 16.8.2 
    react-scripts: 2.1.5 => 2.1.5 
  npmGlobalPackages:
    create-react-app: Not Found

Steps to Reproduce

  1. yarn create react-app my-app
  2. cd my-app/
  3. yarn audit

In addition, I've tried to add braces as a top-level dependency using yarn add braces. That didn't help.

Expected Behavior

Pass.

Actual Behavior

Fail:

➜  my-app git:(master) yarn audit
yarn audit v1.13.0
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ low           │ Regular Expression Denial of Service                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ braces                                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=2.3.1                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ react-scripts                                                │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ react-scripts > babel-jest > babel-plugin-istanbul >         │
│               │ test-exclude > micromatch > braces                           │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://nodesecurity.io/advisories/786                       │
└───────────────┴──────────────────────────────────────────────────────────────┘

63 vulnerabilities found - Packages audited: 36332
Severity: 63 Low
✨  Done in 3.12s.

Reproducible Demo

I don't think this is necessary, due to the required steps being very few.