Security: Update `find-node-modules` to resolve `braces` vulnerability

Question

Security: Update `find-node-modules` to resolve `braces` vulnerability

G-Rath opened this issue 5 years ago · 1 comments

Low Regular Expression Denial of Service

Package braces

Patched in >=2.3.1

Dependency of browserify-css [dev]

Path browserify-css > find-node-modules > findup-sync >
micromatch > braces

More info https://npmjs.com/advisories/786

I have made an comment requesting a new version of micromatch@2.x.x be released with an update to the braces dependency, which might happen and thus resolve this.

However, ideally browserify-css should update find-node-modules to v2.0.0, to resolve this security vulnerability.

Answer 1 · 2019-05-17T10:37:49.000Z

Also hoping for a dependency version bump up to get rid of the vulnerability. Doing it by hand introduces a whole new process to deployment.