add helper method of upload response step to be re-used for other tests

functional-test/fixtures/steps/upload.response.ts

@@ -3,6 +3,7 @@ import {BaseStep} from './base';
 import {credentials} from "../../config/config";
 import performAppealDormantOnCase from "../../api/client/sscs/appeal.event";
 import createCaseBasedOnCaseType from "../../api/client/sscs/factory/appeal.type.factory";
+import {StepsHelper} from "../../helpers/stepsHelper";
 
 const responseReviewedTestData = require('../../pages/content/response.reviewed_en.json');
 const uploadResponseTestdata = require('../../pages/content/upload.response_en.json');
@@ -11,29 +12,22 @@ export class UploadResponse extends BaseStep {
 
     private static caseId: string;
     readonly page: Page;
+    protected stepsHelper: StepsHelper;
 
     private presetLinks: string[] = ['Upload response', 'Ready to list', 'Update to case data', 'Add a hearing'];
 
     constructor(page: Page) {
         super(page);
         this.page = page;
+        this.stepsHelper = new StepsHelper(this.page);
     }
 
 
     async performUploadResponseWithFurtherInfoOnAPIP() {
 
         let pipCaseId = await createCaseBasedOnCaseType("PIP");
         await this.loginUserWithCaseId(credentials.dwpResponseWriter, false, pipCaseId);
-
-        //await this.homePage.waitForLoadState();
-        await this.homePage.chooseEvent('Upload response');
-        await this.homePage.delay(4000);
-        //await this.homePage.waitForLoadState();
-        await this.uploadResponsePage.verifyPageContent();
-        await this.uploadResponsePage.uploadDocs();
-        await this.uploadResponsePage.selectIssueCode(uploadResponseTestdata.pipIssueCode);
-        await this.uploadResponsePage.chooseAssistOption('Yes');
-        await this.uploadResponsePage.continueSubmission();
+        await this.stepsHelper.uploadResponseHelper(uploadResponseTestdata.pipIssueCode, 'Yes');
 
         await this.checkYourAnswersPage.verifyCYAPageContent("Upload response",
             uploadResponseTestdata.pipBenefitCode, uploadResponseTestdata.pipIssueCode);
@@ -63,13 +57,7 @@ export class UploadResponse extends BaseStep {
 
         let taxCaseId = await createCaseBasedOnCaseType("TAX CREDIT");
         await this.loginUserWithCaseId(credentials.hmrcUser, false, taxCaseId);
-        await this.homePage.chooseEvent('Upload response');
-        await this.homePage.delay(4000);
-        await this.uploadResponsePage.verifyPageContent();
-        await this.uploadResponsePage.uploadDocs();
-        await this.uploadResponsePage.selectIssueCode(uploadResponseTestdata.taxIssueCode);
-        await this.uploadResponsePage.chooseAssistOption('No');
-        await this.uploadResponsePage.continueSubmission();
+        await this.stepsHelper.uploadResponseHelper(uploadResponseTestdata.taxIssueCode, 'No');
 
         await this.checkYourAnswersPage.verifyCYAPageContent("Upload response", uploadResponseTestdata.taxBenefitCode, uploadResponseTestdata.taxIssueCode);
         await this.checkYourAnswersPage.confirmSubmission();

functional-test/helpers/stepsHelper.ts

@@ -0,0 +1,27 @@
+import {Page} from '@playwright/test';
+import {HomePage} from '../pages/common/homePage';
+import {UploadResponsePage} from '../pages/upload.response.page';
+
+export class StepsHelper {
+
+    readonly page: Page;
+    public homePage: HomePage;
+    public uploadResponsePage: UploadResponsePage;
+
+    constructor(page: Page) {
+        this.page = page;
+        this.homePage = new HomePage(this.page);
+        this.uploadResponsePage = new UploadResponsePage(this.page);
+    }
+
+    async uploadResponseHelper(issueCodeData: string, assistOption: string) {
+        await this.homePage.chooseEvent('Upload response');
+        await this.homePage.delay(4000);    
+
+        await this.uploadResponsePage.verifyPageContent();
+        await this.uploadResponsePage.uploadDocs();
+        await this.uploadResponsePage.selectIssueCode(issueCodeData);
+        await this.uploadResponsePage.chooseAssistOption(assistOption);
+        await this.uploadResponsePage.continueSubmission();
+    }
+}

yarn-audit-known-issues

@@ -1 +1 @@
-{"actions":[],"advisories":{"1096525":{"findings":[{"version":"0.26.1","paths":["codeceptjs>axios","codeceptjs>openai>axios"]}],"metadata":null,"vulnerable_versions":">=0.8.1 <0.28.0","module_name":"axios","severity":"moderate","github_advisory_id":"GHSA-wf5p-g6vw-rhxx","cves":["CVE-2023-45857"],"access":"public","patched_versions":">=0.28.0","cvss":{"score":6.5,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N"},"updated":"2024-02-20T20:02:28.000Z","recommendation":"Upgrade to version 0.28.0 or later","cwe":["CWE-352"],"found_by":null,"deleted":null,"id":1096525,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2023-45857\n- https://github.com/axios/axios/issues/6006\n- https://github.com/axios/axios/issues/6022\n- https://github.com/axios/axios/pull/6028\n- https://github.com/axios/axios/commit/96ee232bd3ee4de2e657333d4d2191cd389e14d0\n- https://github.com/axios/axios/releases/tag/v1.6.0\n- https://security.snyk.io/vuln/SNYK-JS-AXIOS-6032459\n- https://github.com/axios/axios/pull/6091\n- https://github.com/axios/axios/commit/2755df562b9c194fba6d8b609a383443f6a6e967\n- https://github.com/axios/axios/releases/tag/v0.28.0\n- https://github.com/advisories/GHSA-wf5p-g6vw-rhxx","created":"2023-11-08T21:30:37.000Z","reported_by":null,"title":"Axios Cross-Site Request Forgery Vulnerability","npm_advisory_id":null,"overview":"An issue discovered in Axios 0.8.1 through 1.5.1 inadvertently reveals the confidential XSRF-TOKEN stored in cookies by including it in the HTTP header X-XSRF-TOKEN for every request made to any host allowing attackers to view sensitive information.","url":"https://github.com/advisories/GHSA-wf5p-g6vw-rhxx"},"1096915":{"findings":[{"version":"6.1.13","paths":["codeceptjs>mocha>chokidar>fsevents>node-gyp>tar","codeceptjs>@codeceptjs/detox-helper>detox>bunyan>dtrace-provider>node-gyp>tar","codeceptjs>mocha>chokidar>fsevents>node-gyp>make-fetch-happen>cacache>tar","codeceptjs>@codeceptjs/detox-helper>detox>bunyan>dtrace-provider>node-gyp>make-fetch-happen>cacache>tar","codeceptjs>@codeceptjs/detox-helper>detox>bunyan>dtrace-provider>nan>node-gyp>make-fetch-happen>cacache>tar","codeceptjs>@codeceptjs/detox-helper>detox>bunyan-debug-stream>bunyan>dtrace-provider>nan>node-gyp>make-fetch-happen>cacache>tar","codeceptjs>@codeceptjs/detox-helper>detox>jest-environment-emit>bunyan-debug-stream>bunyan>dtrace-provider>nan>node-gyp>make-fetch-happen>cacache>tar"]}],"metadata":null,"vulnerable_versions":"<6.2.1","module_name":"tar","severity":"moderate","github_advisory_id":"GHSA-f5x3-32g6-xq36","cves":["CVE-2024-28863"],"access":"public","patched_versions":">=6.2.1","cvss":{"score":6.5,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"},"updated":"2024-04-09T19:02:32.000Z","recommendation":"Upgrade to version 6.2.1 or later","cwe":["CWE-400"],"found_by":null,"deleted":null,"id":1096915,"references":"- https://github.com/isaacs/node-tar/security/advisories/GHSA-f5x3-32g6-xq36\n- https://nvd.nist.gov/vuln/detail/CVE-2024-28863\n- https://github.com/isaacs/node-tar/commit/fe8cd57da5686f8695415414bda49206a545f7f7\n- https://github.com/advisories/GHSA-f5x3-32g6-xq36","created":"2024-03-22T16:57:05.000Z","reported_by":null,"title":"Denial of service while parsing a tar file due to lack of folders count validation","npm_advisory_id":null,"overview":"## Description: \nDuring some analysis today on npm's `node-tar` package I came across the folder creation process, Basicly if you provide node-tar with a path like this `./a/b/c/foo.txt` it would create every folder and sub-folder here a, b and c until it reaches the last folder to create `foo.txt`, In-this case I noticed that there's no validation at all on the amount of folders being created, that said we're actually able to CPU and memory consume the system running node-tar and even crash the nodejs client within few seconds of running it using a path with too many sub-folders inside\n\n## Steps To Reproduce:\nYou can reproduce this issue by downloading the tar file I provided in the resources and using node-tar to extract it, you should get the same behavior as the video\n\n## Proof Of Concept:\nHere's a [video](https://hackerone-us-west-2-production-attachments.s3.us-west-2.amazonaws.com/3i7uojw8s52psar6pg8zkdo4h9io?response-content-disposition=attachment%3B%20filename%3D%22tar-dos-poc.webm%22%3B%20filename%2A%3DUTF-8%27%27tar-dos-poc.webm&response-content-type=video%2Fwebm&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=ASIAQGK6FURQSWWGDXHA%2F20240312%2Fus-west-2%2Fs3%2Faws4_request&X-Amz-Date=20240312T080103Z&X-Amz-Expires=3600&X-Amz-Security-Token=IQoJb3JpZ2luX2VjEDcaCXVzLXdlc3QtMiJHMEUCID3xYDc6emXVPOg8iVR5dVk0u3gguTPIDJ0OIE%2BKxj17AiEAi%2BGiay1gGMWhH%2F031fvMYnSsa8U7CnpZpxvFAYqNRwgqsQUIQBADGgwwMTM2MTkyNzQ4NDkiDAaj6OgUL3gg4hhLLCqOBUUrOgWSqaK%2FmxN6nKRvB4Who3LIyzswFKm9LV94GiSVFP3zXYA480voCmAHTg7eBL7%2BrYgV2RtXbhF4aCFMCN3qu7GeXkIdH7xwVMi9zXHkekviSKZ%2FsZtVVjn7RFqOCKhJl%2FCoiLQJuDuju%2FtfdTGZbEbGsPgKHoILYbRp81K51zeRL21okjsOehmypkZzq%2BoGrXIX0ynPOKujxw27uqdF4T%2BF9ynodq01vGgwgVBEjHojc4OKOfr1oW5b%2FtGVV59%2BOBVI1hqIKHRG0Ed4SWmp%2BLd1hazGuZPvp52szmegnOj5qr3ubppnKL242bX%2FuAnQKzKK0HpwolqXjsuEeFeM85lxhqHV%2B1BJqaqSHHDa0HUMLZistMRshRlntuchcFQCR6HBa2c8PSnhpVC31zMzvYMfKsI12h4HB6l%2FudrmNrvmH4LmNpi4dZFcio21DzKj%2FRjWmxjH7l8egDyG%2FIgPMY6Ls4IiN7aR1jijYTrBCgPUUHets3BFvqLzHtPFnG3B7%2FYRPnhCLu%2FgzvKN3F8l38KqeTNMHJaxkuhCvEjpFB2SJbi2QZqZZbLj3xASqXoogzbsyPp0Tzp0tH7EKDhPA7H6wwiZukXfFhhlYzP8on9fO2Ajz%2F%2BTDkDjbfWw4KNJ0cFeDsGrUspqQZb5TAKlUge7iOZEc2TZ5uagatSy9Mg08E4nImBSE5QUHDc7Daya1gyqrETMDZBBUHH2RFkGA9qMpEtNrtJ9G%2BPedz%2FpPY1hh9OCp9Pg1BrX97l3SfVzlAMRfNibhywq6qnE35rVnZi%2BEQ1UgBjs9jD%2FQrW49%2FaD0oUDojVeuFFryzRnQxDbKtYgonRcItTvLT5Y0xaK9P0u6H1197%2FMk3XxmjD9%2Fb%2BvBjqxAQWWkKiIxpC1oHEWK9Jt8UdJ39xszDBGpBqjB6Tvt5ePAXSyX8np%2FrBi%2BAPx06O0%2Ba7pU4NmH800EVXxxhgfj9nMw3CeoUIdxorVKtU2Mxw%2FLaAiPgxPS4rqkt65NF7eQYfegcSYDTm2Z%2BHPbz9HfCaVZ28Zqeko6sR%2F29ML4bguqVvHAM4mWPLNDXH33mjG%2BuzLi8e1BF7tNveg2X9G%2FRdcMkojwKYbu6xN3M6aX2alQg%3D%3D&X-Amz-SignedHeaders=host&X-Amz-Signature=1e8235d885f1d61529b7d6b23ea3a0780c300c91d86e925dd8310d5b661ddbe2) show-casing the exploit: \n\n## Impact\n\nDenial of service by crashing the nodejs client when attempting to parse a tar archive, make it run out of heap memory and consuming server CPU and memory resources\n\n## Report resources\n[payload.txt](https://hackerone-us-west-2-production-attachments.s3.us-west-2.amazonaws.com/1e83ayb5dd3350fvj3gst0mqixwk?response-content-disposition=attachment%3B%20filename%3D%22payload.txt%22%3B%20filename%2A%3DUTF-8%27%27payload.txt&response-content-type=text%2Fplain&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=ASIAQGK6FURQSWWGDXHA%2F20240312%2Fus-west-2%2Fs3%2Faws4_request&X-Amz-Date=20240312T080103Z&X-Amz-Expires=3600&X-Amz-Security-Token=IQoJb3JpZ2luX2VjEDcaCXVzLXdlc3QtMiJHMEUCID3xYDc6emXVPOg8iVR5dVk0u3gguTPIDJ0OIE%2BKxj17AiEAi%2BGiay1gGMWhH%2F031fvMYnSsa8U7CnpZpxvFAYqNRwgqsQUIQBADGgwwMTM2MTkyNzQ4NDkiDAaj6OgUL3gg4hhLLCqOBUUrOgWSqaK%2FmxN6nKRvB4Who3LIyzswFKm9LV94GiSVFP3zXYA480voCmAHTg7eBL7%2BrYgV2RtXbhF4aCFMCN3qu7GeXkIdH7xwVMi9zXHkekviSKZ%2FsZtVVjn7RFqOCKhJl%2FCoiLQJuDuju%2FtfdTGZbEbGsPgKHoILYbRp81K51zeRL21okjsOehmypkZzq%2BoGrXIX0ynPOKujxw27uqdF4T%2BF9ynodq01vGgwgVBEjHojc4OKOfr1oW5b%2FtGVV59%2BOBVI1hqIKHRG0Ed4SWmp%2BLd1hazGuZPvp52szmegnOj5qr3ubppnKL242bX%2FuAnQKzKK0HpwolqXjsuEeFeM85lxhqHV%2B1BJqaqSHHDa0HUMLZistMRshRlntuchcFQCR6HBa2c8PSnhpVC31zMzvYMfKsI12h4HB6l%2FudrmNrvmH4LmNpi4dZFcio21DzKj%2FRjWmxjH7l8egDyG%2FIgPMY6Ls4IiN7aR1jijYTrBCgPUUHets3BFvqLzHtPFnG3B7%2FYRPnhCLu%2FgzvKN3F8l38KqeTNMHJaxkuhCvEjpFB2SJbi2QZqZZbLj3xASqXoogzbsyPp0Tzp0tH7EKDhPA7H6wwiZukXfFhhlYzP8on9fO2Ajz%2F%2BTDkDjbfWw4KNJ0cFeDsGrUspqQZb5TAKlUge7iOZEc2TZ5uagatSy9Mg08E4nImBSE5QUHDc7Daya1gyqrETMDZBBUHH2RFkGA9qMpEtNrtJ9G%2BPedz%2FpPY1hh9OCp9Pg1BrX97l3SfVzlAMRfNibhywq6qnE35rVnZi%2BEQ1UgBjs9jD%2FQrW49%2FaD0oUDojVeuFFryzRnQxDbKtYgonRcItTvLT5Y0xaK9P0u6H1197%2FMk3XxmjD9%2Fb%2BvBjqxAQWWkKiIxpC1oHEWK9Jt8UdJ39xszDBGpBqjB6Tvt5ePAXSyX8np%2FrBi%2BAPx06O0%2Ba7pU4NmH800EVXxxhgfj9nMw3CeoUIdxorVKtU2Mxw%2FLaAiPgxPS4rqkt65NF7eQYfegcSYDTm2Z%2BHPbz9HfCaVZ28Zqeko6sR%2F29ML4bguqVvHAM4mWPLNDXH33mjG%2BuzLi8e1BF7tNveg2X9G%2FRdcMkojwKYbu6xN3M6aX2alQg%3D%3D&X-Amz-SignedHeaders=host&X-Amz-Signature=bad9fe731f05a63a950f99828125653a8c1254750fe0ca7be882e89ecdd449ae)\n[archeive.tar.gz](https://hackerone-us-west-2-production-attachments.s3.us-west-2.amazonaws.com/ymkuh4xnfdcf1soeyi7jc2x4yt2i?response-content-disposition=attachment%3B%20filename%3D%22archive.tar.gz%22%3B%20filename%2A%3DUTF-8%27%27archive.tar.gz&response-content-type=application%2Fx-tar&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=ASIAQGK6FURQSWWGDXHA%2F20240312%2Fus-west-2%2Fs3%2Faws4_request&X-Amz-Date=20240312T080103Z&X-Amz-Expires=3600&X-Amz-Security-Token=IQoJb3JpZ2luX2VjEDcaCXVzLXdlc3QtMiJHMEUCID3xYDc6emXVPOg8iVR5dVk0u3gguTPIDJ0OIE%2BKxj17AiEAi%2BGiay1gGMWhH%2F031fvMYnSsa8U7CnpZpxvFAYqNRwgqsQUIQBADGgwwMTM2MTkyNzQ4NDkiDAaj6OgUL3gg4hhLLCqOBUUrOgWSqaK%2FmxN6nKRvB4Who3LIyzswFKm9LV94GiSVFP3zXYA480voCmAHTg7eBL7%2BrYgV2RtXbhF4aCFMCN3qu7GeXkIdH7xwVMi9zXHkekviSKZ%2FsZtVVjn7RFqOCKhJl%2FCoiLQJuDuju%2FtfdTGZbEbGsPgKHoILYbRp81K51zeRL21okjsOehmypkZzq%2BoGrXIX0ynPOKujxw27uqdF4T%2BF9ynodq01vGgwgVBEjHojc4OKOfr1oW5b%2FtGVV59%2BOBVI1hqIKHRG0Ed4SWmp%2BLd1hazGuZPvp52szmegnOj5qr3ubppnKL242bX%2FuAnQKzKK0HpwolqXjsuEeFeM85lxhqHV%2B1BJqaqSHHDa0HUMLZistMRshRlntuchcFQCR6HBa2c8PSnhpVC31zMzvYMfKsI12h4HB6l%2FudrmNrvmH4LmNpi4dZFcio21DzKj%2FRjWmxjH7l8egDyG%2FIgPMY6Ls4IiN7aR1jijYTrBCgPUUHets3BFvqLzHtPFnG3B7%2FYRPnhCLu%2FgzvKN3F8l38KqeTNMHJaxkuhCvEjpFB2SJbi2QZqZZbLj3xASqXoogzbsyPp0Tzp0tH7EKDhPA7H6wwiZukXfFhhlYzP8on9fO2Ajz%2F%2BTDkDjbfWw4KNJ0cFeDsGrUspqQZb5TAKlUge7iOZEc2TZ5uagatSy9Mg08E4nImBSE5QUHDc7Daya1gyqrETMDZBBUHH2RFkGA9qMpEtNrtJ9G%2BPedz%2FpPY1hh9OCp9Pg1BrX97l3SfVzlAMRfNibhywq6qnE35rVnZi%2BEQ1UgBjs9jD%2FQrW49%2FaD0oUDojVeuFFryzRnQxDbKtYgonRcItTvLT5Y0xaK9P0u6H1197%2FMk3XxmjD9%2Fb%2BvBjqxAQWWkKiIxpC1oHEWK9Jt8UdJ39xszDBGpBqjB6Tvt5ePAXSyX8np%2FrBi%2BAPx06O0%2Ba7pU4NmH800EVXxxhgfj9nMw3CeoUIdxorVKtU2Mxw%2FLaAiPgxPS4rqkt65NF7eQYfegcSYDTm2Z%2BHPbz9HfCaVZ28Zqeko6sR%2F29ML4bguqVvHAM4mWPLNDXH33mjG%2BuzLi8e1BF7tNveg2X9G%2FRdcMkojwKYbu6xN3M6aX2alQg%3D%3D&X-Amz-SignedHeaders=host&X-Amz-Signature=5e2c0d4b4de40373ac0fe91908c2659141a6dd4ab850271cc26042a3885c82ea)\n\n## Note\nThis report was originally reported to GitHub bug bounty program, they asked me to report it to you a month ago","url":"https://github.com/advisories/GHSA-f5x3-32g6-xq36"},"1096967":{"findings":[{"version":"3.7.0","paths":["codeceptjs>pactum>phin"]}],"metadata":null,"vulnerable_versions":"<3.7.1","module_name":"phin","severity":"moderate","github_advisory_id":"GHSA-x565-32qp-m3vf","cves":[],"access":"public","patched_versions":">=3.7.1","cvss":{"score":4.3,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N"},"updated":"2024-04-11T21:30:32.000Z","recommendation":"Upgrade to version 3.7.1 or later","cwe":["CWE-200"],"found_by":null,"deleted":null,"id":1096967,"references":"- https://github.com/ethanent/phin/security/advisories/GHSA-x565-32qp-m3vf\n- https://github.com/ethanent/phin/commit/c071f95336a987dad9332fd388adeb249925cc57\n- https://github.com/advisories/GHSA-x565-32qp-m3vf","created":"2024-04-11T21:30:30.000Z","reported_by":null,"title":"phin may include sensitive headers in subsequent requests after redirect","npm_advisory_id":null,"overview":"### Impact\n\nUsers may be impacted if sending requests including sensitive data in specific headers with `followRedirects` enabled.\n\n### Patches\n\nThe [follow-redirects](https://github.com/follow-redirects/follow-redirects) library is now being used for redirects and removes some headers that may contain sensitive information in some situations.\n\n### Workarounds\n\nN/A. Please update to resolve the issue.","url":"https://github.com/advisories/GHSA-x565-32qp-m3vf"}},"muted":[],"metadata":{"vulnerabilities":{"info":0,"low":0,"moderate":10,"high":0,"critical":0},"dependencies":843,"devDependencies":0,"optionalDependencies":0,"totalDependencies":843}}
+{"actions":[],"advisories":{"1097496":{"findings":[{"version":"3.0.2","paths":["codeceptjs>mocha>chokidar>braces","codeceptjs>@codeceptjs/detox-helper>react-native>@react-native/codegen>jscodeshift>micromatch>braces","codeceptjs>@codeceptjs/detox-helper>react-native>@react-native/community-cli-plugin>metro>metro-file-map>micromatch>braces","codeceptjs>@codeceptjs/detox-helper>react-native>@react-native/community-cli-plugin>metro-config>metro>metro-file-map>micromatch>braces","codeceptjs>@codeceptjs/detox-helper>react-native>@react-native/community-cli-plugin>@react-native/metro-babel-transformer>@react-native/babel-preset>@react-native/babel-plugin-codegen>@react-native/codegen>jscodeshift>micromatch>braces"]}],"metadata":null,"vulnerable_versions":"<3.0.3","module_name":"braces","severity":"high","github_advisory_id":"GHSA-grv7-fg5c-xmjg","cves":["CVE-2024-4068"],"access":"public","patched_versions":">=3.0.3","cvss":{"score":7.5,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},"updated":"2024-06-10T20:17:26.000Z","recommendation":"Upgrade to version 3.0.3 or later","cwe":["CWE-1050"],"found_by":null,"deleted":null,"id":1097496,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2024-4068\n- https://github.com/micromatch/braces/issues/35\n- https://devhub.checkmarx.com/cve-details/CVE-2024-4068\n- https://github.com/micromatch/braces/blob/98414f9f1fabe021736e26836d8306d5de747e0d/lib/parse.js#L308\n- https://github.com/micromatch/braces/pull/37\n- https://github.com/micromatch/braces/pull/40\n- https://github.com/micromatch/braces/commit/415d660c3002d1ab7e63dbf490c9851da80596ff\n- https://github.com/advisories/GHSA-grv7-fg5c-xmjg","created":"2024-05-14T18:30:54.000Z","reported_by":null,"title":"Uncontrolled resource consumption in braces","npm_advisory_id":null,"overview":"The NPM package `braces` fails to limit the number of characters it can handle, which could lead to Memory Exhaustion. In `lib/parse.js,` if a malicious user sends \"imbalanced braces\" as input, the parsing will enter a loop, which will cause the program to start allocating heap memory without freeing it at any moment of the loop. Eventually, the JavaScript heap limit is reached, and the program will crash.\n","url":"https://github.com/advisories/GHSA-grv7-fg5c-xmjg"}},"muted":[],"metadata":{"vulnerabilities":{"info":0,"low":0,"moderate":0,"high":5,"critical":0},"dependencies":843,"devDependencies":0,"optionalDependencies":0,"totalDependencies":843}}