Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

lint-staged dependency: micromatch vulnerability #1467

Closed
AnnaKozlova opened this issue Aug 26, 2024 · 6 comments
Closed

lint-staged dependency: micromatch vulnerability #1467

AnnaKozlova opened this issue Aug 26, 2024 · 6 comments

Comments

@AnnaKozlova
Copy link

Description

lint-staged has "micromatch": "~4.0.7", but micromatch <4.0.8 contains a vulnerability.

Steps to reproduce

  1. Choose the latest version of the library
  2. Make npm install

Debug Logs

expand to view 
micromatch  <4.0.8
Severity: moderate
Regular Expression Denial of Service (ReDoS) in micromatch - https://github.com/advisories/GHSA-952p-6rrq-rcjv

Environment
@rupeshdeotale97
Copy link

I'm having the same issue over Mend scan as high finding. Thanks

@iiroj
Copy link
Member

iiroj commented Aug 27, 2024

Our package.json lists a non-specific version so it should allow you to upgrade it locally:

lint-staged/package.json

Line 45 in 0ce5e14

"micromatch": "~4.0.7",

Include everything greater than a particular version in the same minor range

As can be tested here 4.0.8 is also matched: https://semver.npmjs.com/

@AnnaKozlova
Copy link
Author

In my project there was only one vulnerability issue related to this and the npm audit fix command helped to resolve it and setup correct version.

you are right so as this is only patch version and lint-staged uses ~ there is no problem here

@iiroj iiroj pinned this issue Aug 27, 2024
@iiroj iiroj closed this as not planned Won't fix, can't repro, duplicate, stale Aug 27, 2024
@ilya-byborg
Copy link

@iiroj Is it possible to bump micromatch version to the latest for lint-staged v14?

@iiroj
Copy link
Member

iiroj commented Aug 30, 2024

@ilya-byborg I don't want to spend time updating micromatch because honestly I think these vulnerabilities are more theoretical than anything. It has had multiple "high" or "critical" vulnerabilities but in the end it's about the file globs you configure in your own lint-staged config.

I'll update the minimum version to ~4.08 along with other dependencies in the next update to v15 (or v16).

@iiroj iiroj mentioned this issue Aug 30, 2024
Closed
@slorber
Copy link

slorber commented Oct 24, 2024

Lint-staged 13.3.0 has a pinned version dependency on micromatch

This has been reverted in 15.2.5

Those that want to use micromatch without the warning should avoid any release in between those versions.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@slorber @iiroj @rupeshdeotale97 @AnnaKozlova @ilya-byborg and others