Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

1 low severity vulnerability #26

Closed
aha-oretama opened this issue May 8, 2019 · 1 comment
Closed

1 low severity vulnerability #26

aha-oretama opened this issue May 8, 2019 · 1 comment

Comments

@aha-oretama
Copy link

There is a 1 low severity vulnerability.

                       === npm audit security report ===                        
                                                                                
┌──────────────────────────────────────────────────────────────────────────────┐
│                                Manual Review                                 │
│            Some vulnerabilities require your attention to resolve            │
│                                                                              │
│         Visit https://go.npm.me/audit-guide for additional guidance          │
└──────────────────────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low           │ Regular Expression Denial of Service                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ braces                                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=2.3.1                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ wdio-json-reporter [dev]                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ wdio-json-reporter > jest-matchers > jest-message-util >     │
│               │ micromatch > braces                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/786                             │
└───────────────┴──────────────────────────────────────────────────────────────┘
@fijijavis
Copy link
Collaborator

yarn.lock has 2 versions of braces. using yarn why it shows those are introduced as follows:

yarn why braces
yarn why v1.15.2
[1/4] 🤔  Why do we have the module "braces"...?
[2/4] 🚚  Initialising dependency graph...
[3/4] 🔍  Finding dependency...
[4/4] 🚡  Calculating file sizes...
=> Found "braces@2.3.2"
info Reasons this module exists
   - "micromatch" depends on it
   - Hoisted from "micromatch#braces"
info Disk size without dependencies: "76KB"
info Disk size with unique dependencies: "1.25MB"
info Disk size with transitive dependencies: "3.81MB"
info Number of shared dependencies: 29
=> Found "jest-matchers#braces@1.8.5"
info Reasons this module exists
   - "jest-matchers#jest-message-util#micromatch" depends on it
   - Hoisted from "jest-matchers#jest-message-util#micromatch#braces"
info Disk size without dependencies: "24KB"
info Disk size with unique dependencies: "180KB"
info Disk size with transitive dependencies: "352KB"
info Number of shared dependencies: 10
✨  Done in 0.45s.

So... jest-matchers is the package that needs to update.

As a temporary fix I have added a resolution to the package.json to not allow the lower version of braces to be used

@fijijavis fijijavis mentioned this issue May 9, 2019
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@aha-oretama @fijijavis