Dependency on insecure version of braces (Node security advisory 786)
See original GitHub issueIs this a bug report?
Yes.
Did you try recovering your dependencies?
I donβt think this step is necessary, due to the error being present in a brand new project.
Which terms did you search for in User Guide?
None.
Environment
Environment Info:
System:
OS: macOS 10.14.3
CPU: x64 Intel(R) Core(TM) i5-4278U CPU @ 2.60GHz
Binaries:
Node: 10.15.0 - /usr/local/opt/node@10/bin/node
Yarn: 1.13.0 - /usr/local/bin/yarn
npm: 6.4.1 - /usr/local/opt/node@10/bin/npm
Browsers:
Chrome: 72.0.3626.109
Firefox: 65.0
Safari: 12.0.3
npmPackages:
react: ^16.8.2 => 16.8.2
react-dom: ^16.8.2 => 16.8.2
react-scripts: 2.1.5 => 2.1.5
npmGlobalPackages:
create-react-app: Not Found
Steps to Reproduce
yarn create react-app my-app
cd my-app/
yarn audit
In addition, Iβve tried to add braces as a top-level dependency using yarn add braces
. That didnβt help.
Expected Behavior
Pass.
Actual Behavior
Fail:
β my-app git:(master) yarn audit
yarn audit v1.13.0
βββββββββββββββββ¬βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β low β Regular Expression Denial of Service β
βββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β Package β braces β
βββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β Patched in β >=2.3.1 β
βββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β Dependency of β react-scripts β
βββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β Path β react-scripts > babel-jest > babel-plugin-istanbul > β
β β test-exclude > micromatch > braces β
βββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β More info β https://nodesecurity.io/advisories/786 β
βββββββββββββββββ΄βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β¦
63 vulnerabilities found - Packages audited: 36332
Severity: 63 Low
β¨ Done in 3.12s.
Reproducible Demo
I donβt think this is necessary, due to the required steps being very few.
Issue Analytics
- State:
- Created 5 years ago
- Reactions:55
- Comments:34 (7 by maintainers)
Top Results From Across the Web
How to fix npm package braces issue with react-scripts v2.1.5 ...
I've tried downgrading to previous versions of react-scripts, updating braces either through updating the package.json, deleting the packageΒ ...
Read more >Dependency Audit Retrospective: June 2019 - Medium
This week, a tweet from the Chief Security Officer of Brave browser raised some public concerns of the security of our codebase.
Read more >Deprecated packages and vulnerabilities in Hybrid app
Hi all, I am trying to build a hybrid app and I am following the steps in https://docs.mendix.com/developerportal/deploy/mobileapp I haveΒ ...
Read more >nuxt | npm | Open Source Insights
In the dependencies ... ejs template injection vulnerability. 9.8 CRITICALΒ·GHSA-phwq-j96m- ... Insecure serialization leading to RCE in serialize-javascript.
Read more >NPM Identify And Fix Insecure Dependencies
NPM's latest version npm@6 has been launched and It has come with new powerful tool npm audit. This tool will help us to...
Read more >Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start FreeTop Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
Top GitHub Comments
Letβs focus on the issue here. This is not the place to debate the merits of
npm audit
or how your CI should be set up.Since Jest isnβt planning to backport this fix to Jest 23 the only thing we can do is release a major version of Create React App with Jest 24. We are currently working on that and you can follow the progress on upgrading to Jest 24 here: https://github.com/facebook/create-react-app/pull/6278
Handlebars just joined the party with a High priority vulnerability too