Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Please upgrade to latest braces version #3269

Closed
maeisdev opened this issue Feb 17, 2019 · 12 comments
Closed

Please upgrade to latest braces version #3269

maeisdev opened this issue Feb 17, 2019 · 12 comments

Comments

@maeisdev
Copy link

Expected behaviour

Updated to braces 2.3.1.

Actual behaviour

 === npm audit security report ===                        
                                                                                
┌──────────────────────────────────────────────────────────────────────────────┐
│                                Manual Review                                 │
│            Some vulnerabilities require your attention to resolve            │
│                                                                              │
│         Visit https://go.npm.me/audit-guide for additional guidance          │
└──────────────────────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low           │ Regular Expression Denial of Service                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ braces                                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=2.3.1                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ karma [dev]                                                  │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ karma > expand-braces > braces                               │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/786                             │
└───────────────┴──────────────────────────────────────────────────────────────┘

Environment Details

Karma version: 4.0.0
@Adam-Kernig
Copy link

@maedewiza I don't want to disrupt this too much, how did you copy the npm audi text in so cleanly, I have reported this issue in angular also, just wondering :)

@Adam-Kernig
Copy link

Update:
Braces has not been updated in 4 years, is this wise to have this package in at all.

@luc-tielen
Copy link

this fixed it for me (add to package.json), but hopefully only temporarily needed:

  "resolutions": {
    "braces": "^2.3.2",
  }

@dominik-bln
Copy link

Seems to work only for yarn, anyone got a working solution for npm?

SteinRobert added a commit to SteinRobert/karma that referenced this issue Feb 18, 2019
@SteinRobert
fix: remove vulnerable dependency expand-braces
563f4a9 
Remove `expand-braces` as a dependency. Use `braces.expand` instead
now.

Fixes karma-runner#3268
Fixes karma-runner#3269
@SteinRobert SteinRobert mentioned this issue Feb 18, 2019
Merged
johnjbarton pushed a commit that referenced this issue Feb 19, 2019
@SteinRobert @johnjbarton
fix: remove vulnerable dependency expand-braces (#3270)
4ec4f6f 
Remove `expand-braces` as a dependency. Use `braces.expand` instead
now.

Fixes #3268
Fixes #3269
@KurtPreston
Copy link

@SteinRobert any chance of releasing this fix on a 3.x build?

@SteinRobert
Copy link
Contributor

@KurtPreston that's not for me to decide - I just provided the PR. I'm not a maintainer/owner of this project. However from what I see in this repo it seems unlikely.

@KurtPreston
Copy link

@SteinRobert Sorry, my mistake, misread the PR. Thanks for the patch!
@johnjbarton Any chance of releasing this fix on a 3.x build?

@johnjbarton
Copy link
Contributor

We should get #3265 fixed first. (And this will be on 4.x)

@vladimiry vladimiry mentioned this issue Feb 21, 2019
Closed
@Adam-Kernig
Copy link

When is this master version going to be launched so we can updated, will this be 4.0.1

@Westbrook Westbrook mentioned this issue Feb 23, 2019
Closed
@maeisdev maeisdev mentioned this issue Feb 26, 2019
Closed
@Westbrook
Copy link

Can we get a release of these security updates, please?

@johnjbarton
Copy link
Contributor

Once we know that the npm audit at head is clean.

@e-mihaylin
Copy link

Once we know that the npm audit at head is clean.

just checked, issue persists(

This was referenced Feb 27, 2019
Closed
Closed
@karronoli karronoli mentioned this issue Aug 16, 2022
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
9 participants
@johnjbarton @KurtPreston @dominik-bln @Westbrook @SteinRobert @luc-tielen @e-mihaylin @Adam-Kernig @maeisdev