Update to anymatch 2.0.0 to appease npm audit
joebowbeer opened this issue · comments
Joe Bowbeer commented
npm audit now reports that braces <2.3.1 is vulnerable to attack:
https://www.npmjs.com/advisories/786
gulp-watch@5.0.1 > anymatch@1.3.2 > micromatch@2.3.11 > braces@1.8.5
Updating gulp-watch to anymatch@2.0.0 should fix the issue.
Cam Tullos commented
Any eta on this?
Morph commented
npm audit
message:
Low | Regular Expression Denial of Service |
---|---|
Package | braces |
Patched in | >=2.3.1 |
Dependency of | gulp-watch [dev] |
Path | gulp-watch > anymatch > micromatch > braces |
More info | https://nodesecurity.io/advisories/786 |
More info:
Overview
Versions of braces prior to 2.3.1 are vulnerable to Regular Expression Denial of Service (ReDoS). Untrusted input may cause catastrophic backtracking while matching regular expressions. This can cause the application to be unresponsive leading to Denial of Service.Remediation
Upgrade to version 2.3.1 or higher.
Jay Collett commented
Still getting this notification.