minimatch minimatch.js braceExpand() Function Improper Regular Expression DoS #1697
Comments
|
Had an issue where the CLI is being included inside the main protobufjs package under cli/node_modules/minimatch folder. I would assume those should just be normal dependencies though. |
richgerrard
added a commit
to richgerrard/protobuf.js
that referenced
this issue
Mar 31, 2022
If I follow this, glob packages minimatch. Minimatch released a fix, glob also has a newer build, picking this up should pick up that. Fixes protobufjs#1696 Fixes protobufjs#1697 Fixes protobufjs#1698
alexander-fenster
added a commit
that referenced
this issue
May 20, 2022
* Patch minimatch vulnerability If I follow this, glob packages minimatch. Minimatch released a fix, glob also has a newer build, picking this up should pick up that. Fixes #1696 Fixes #1697 Fixes #1698 * chore: update lockfile Co-authored-by: Alexander Fenster <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
protobuf.js version: 6.11.2
The above mentioned version of protobufjs includes minimatch3.0.4 which has below high severity security issue:
minimatch contains a flaw in the braceExpand() function in minimatch.js that is triggered as an improper regular expression is used to match patterns for brace expansion. This may allow a context-dependent attacker to hang or slow down a Node process using the library.
If we change the version of minimatch to 3.0.5 or above then this could be resolved.
Can this be fixed in the next available release of protobufjs.
The text was updated successfully, but these errors were encountered: