Update to anymatch 2.0.0 to appease npm audit

Question

Update to anymatch 2.0.0 to appease npm audit

joebowbeer opened this issue 6 years ago · comments

Joe Bowbeer commented 6 years ago

npm audit now reports that braces <2.3.1 is vulnerable to attack:

https://www.npmjs.com/advisories/786

gulp-watch@5.0.1 > anymatch@1.3.2 > micromatch@2.3.11 > braces@1.8.5

Updating gulp-watch to anymatch@2.0.0 should fix the issue.

Cam Tullos · Answer 1 · Thu Mar 28 2019 02:09:29 GMT+0800 (China Standard Time)

Any eta on this?

Morph · Answer 2 · Tue May 07 2019 21:47:07 GMT+0800 (China Standard Time)

npm audit message:

Low	Regular Expression Denial of Service
Package	braces
Patched in	>=2.3.1
Dependency of	gulp-watch [dev]
Path	gulp-watch > anymatch > micromatch > braces
More info	https://nodesecurity.io/advisories/786

More info:

Overview
Versions of braces prior to 2.3.1 are vulnerable to Regular Expression Denial of Service (ReDoS). Untrusted input may cause catastrophic backtracking while matching regular expressions. This can cause the application to be unresponsive leading to Denial of Service.

Remediation
Upgrade to version 2.3.1 or higher.

Jay Collett · Answer 3 · Wed Nov 11 2020 23:29:45 GMT+0800 (China Standard Time)

Still getting this notification.