Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Please upgrade to latest braces version #3269

Closed
maeisdev opened this issue Feb 17, 2019 · 12 comments
Closed

Please upgrade to latest braces version #3269

maeisdev opened this issue Feb 17, 2019 · 12 comments

Comments

@maeisdev
Copy link

Expected behaviour

Updated to braces 2.3.1.

Actual behaviour

 === npm audit security report ===                        
                                                                                
┌──────────────────────────────────────────────────────────────────────────────┐
│                                Manual Review                                 │
│            Some vulnerabilities require your attention to resolve            │
│                                                                              │
│         Visit https://go.npm.me/audit-guide for additional guidance          │
└──────────────────────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low           │ Regular Expression Denial of Service                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ braces                                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=2.3.1                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ karma [dev]                                                  │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ karma > expand-braces > braces                               │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/786                             │
└───────────────┴──────────────────────────────────────────────────────────────┘

Environment Details

Karma version: 4.0.0

@Adam-Kernig
Copy link

@maedewiza I don't want to disrupt this too much, how did you copy the npm audi text in so cleanly, I have reported this issue in angular also, just wondering :)

@Adam-Kernig
Copy link

Update:
Braces has not been updated in 4 years, is this wise to have this package in at all.

@luc-tielen
Copy link

this fixed it for me (add to package.json), but hopefully only temporarily needed:

  "resolutions": {
    "braces": "^2.3.2",
  }

@dominik-bln
Copy link

Seems to work only for yarn, anyone got a working solution for npm?

SteinRobert added a commit to SteinRobert/karma that referenced this issue Feb 18, 2019
Remove `expand-braces` as a dependency. Use `braces.expand` instead
now.

Fixes karma-runner#3268
Fixes karma-runner#3269
johnjbarton pushed a commit that referenced this issue Feb 19, 2019
Remove `expand-braces` as a dependency. Use `braces.expand` instead
now.

Fixes #3268
Fixes #3269
@KurtPreston
Copy link

@SteinRobert any chance of releasing this fix on a 3.x build?

@SteinRobert
Copy link
Contributor

@KurtPreston that's not for me to decide - I just provided the PR. I'm not a maintainer/owner of this project. However from what I see in this repo it seems unlikely.

@KurtPreston
Copy link

@SteinRobert Sorry, my mistake, misread the PR. Thanks for the patch!
@johnjbarton Any chance of releasing this fix on a 3.x build?

@johnjbarton
Copy link
Contributor

We should get #3265 fixed first. (And this will be on 4.x)

@Adam-Kernig
Copy link

When is this master version going to be launched so we can updated, will this be 4.0.1

@Westbrook
Copy link

Can we get a release of these security updates, please?

@johnjbarton
Copy link
Contributor

Once we know that the npm audit at head is clean.

@e-mihaylin
Copy link

Once we know that the npm audit at head is clean.

just checked, issue persists(

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

9 participants