Uncontrolled resource consumption in braces - https://github.com/advisories/GHSA-grv7-fg5c-xmjg

[bot2x]

What version of Tailwind CSS are you using?

For example: v3.4.3

What build tool (or framework if it abstracts the build tool) are you using?

For example: [email protected], [email protected]

Describe your issue

My npm audit reported:

braces <3.0.3
Severity: high
Uncontrolled resource consumption in braces - GHSA-grv7-fg5c-xmjg

Result of "npm ls braces"
└─┬ [email protected]
├─┬ [email protected]
│ └── [email protected]
└─┬ [email protected]
└── [email protected] deduped

Checked the version 3.4.4 which still uses braces 3.0.2.

As per this, the issue is noticed in versions prior to 3.0.3. Also, this has fixed the issue in braces 3.0.3

[thecrypticace]

You can run npm audit fix to address this in your project. Nothing in Tailwind CSS requires an earlier version and if you perform a fresh install of the latest version you'll get v3.0.3 of braces:

[KNHui]

I use yarn as a package manager. But yarn doesn't provide audit command, so I solved it in the following way:

1. Generate a package-lock.json file without installing node modules

npm i --package-lock-only

2. Fix the packages and update the package-lock.json file

npm audit fix

3. Delete the yarn.lock file and convert package-lock.json file into yarn.lock

rm yarn.lock
yarn import # or yarn install

4. Delete the package-lock.json file

rm package-lock.json

*refs: Alternatives to npm audit for yarn, yarn import