Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

micromatch vulnerable at v4.0.5 #1004

Closed
benjsmi opened this issue May 16, 2024 · 3 comments
Closed

micromatch vulnerable at v4.0.5 #1004

benjsmi opened this issue May 16, 2024 · 3 comments
Labels

Comments

@benjsmi
Copy link

benjsmi commented May 16, 2024

Describe the feature you'd love to see

https://github.com/chimurai/http-proxy-middleware/blob/master/package.json#L93

micromatch is vulnerable at v4.0.5 as per https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-4067. To me, it doesn't look like they are going to cut a new release -- their last commit was in 2019.

So this is a feature request to move to a different matching package -- one that is maintained more regularly or at least isn't vulnerable to this CVE.

Additional context (optional)

No response

@chimurai
Copy link
Owner

chimurai commented May 19, 2024

Thanks for the report.

To get some facts right:
micromatch last commit dates 2 months ago (March 28th 2024) (not 2019 like you mentioned).
See commit: micromatch/micromatch@6b3526f

Please follow threads in micromatch with ongoing updates:

A fix has landed in micromatch/braces and will be released in 3.0.3

Suggestion is to monitor the upstream progress.
And update your transitive packages as soon as the fix has been released.

@paulmillr
Copy link

There is NO vulnerability: micromatch/braces#37 (comment)

@chimurai
Copy link
Owner

To resolve the issue, update your package lockfile to [email protected] or higher.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

3 participants