Comments (6)
@babradshaw any update on the above micromatch:4.0.5 ?
from micromatch.
any updates on the above ? new release ?
from micromatch.
@babradshaw this pull request should fix it. Hopefully the maintainers can merge this asap
from micromatch.
Hi @jonschlinkert,
We have followed all the guidelines for responsible disclosure. We remind you that we didn't get a direct response from you.
We have tested the latest micromatch version, 4.0.7, and the ReDoS vulnerability β CVE-2024-4067 β still exists. Our PoC showed the program will hang for longer as the size of the input increases, which can cause Denial of Service. Therefore, updating braces (92d490d) won't solve this vulnerability.
We understand your concerns, and it's a far-fetched situation to encounter the vulnerability in a dependency, but as reported in our email, it's still possible. We maintain our position that it's a valid vulnerability. However, we considered that the score was initially too high for the real impact it can have, so we have recalculated its severity accordingly.
Regarding CVE-2024-4068, we confirm it was fixed in braces version 3.0.3.
Best regards,
MΓ‘rio Teixeira
from micromatch.
@MarioTeixeiraCx send me an email with vuln. I have repo and npm access
from micromatch.
Thank you, @paulmillr. I have forwarded the email thread.
from micromatch.
Related Issues (20)
- micromatch('.prettierrc.json', '**/*.json') => false HOT 3
- Image for sponsorships
- [BUG] Vulnerabilities Found in Micromatch and Braces HOT 2
- `micromatch.not` returns nothing if empty pattern list provided
- [BUG] Vulnerabilities Found in Micromatch and Braces HOT 38
- gitIgnore and negation patterns - not following gitIgnore specs HOT 6
- Question: Globstar and trailing slashes
- Negation style ignores dot option?
- High vulnerability in 'braces' dependency HOT 5
- CVE-2024-4067 and CVE-2024-4068 - Real vulnerabilities or just non-security bugs? HOT 8
- Behavior on Windows seems to have changed with v4.0.6. HOT 1
- Version 4.0.6 is no longer compatible with Node 8.6 HOT 7
- [CVE-2024-4067] Vulnerability detected in micromatch.braces() HOT 13
- What's the deal with 4.0.7? HOT 6
- micromatch 4.0.5 and braces 3.0.3 HOT 4
- Globstar and Braces on slashes issues HOT 3
- Request to resolve the CVE (CVE-2024-4067) in latest micromatch version 4.0.7 HOT 5
- micromatch is vulnerable to Regular Expression Denial of Service (ReDoS) HOT 38
- Tolong bisa kasi kode otp nomor aplikasi dana saya kartu nya hilang ini nomor 081311579999
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
π Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. πππ
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google β€οΈ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from micromatch.