the bug
The current version of react-simple-chatbot (0.6.1) includes a security vulnerability through transitive dependencies that use an older version of 'braces' (< 3.0.3), identified as CVE-2024-4068. This vulnerability allows potential DoS attacks through uncontrolled resource consumption.
To Reproduce
Steps to reproduce the behavior:
Install react-simple-chatbot@0.6.1
Run npm audit or check GitHub's Dependabot alerts
Observe the vulnerability warning for 'braces' through:
chokidar@2.1.8 (requires braces@^2.3.2)
micromatch@3.1.10 (requires braces@^2.3.1)
Expected behavior
Dependencies should use braces >= 3.0.3 to prevent the vulnerability (CVE-2024-4068).
Additional context
CVE: CVE-2024-4068
Advisory: GHSA-grv7-fg5c-xmjg
The vulnerability cannot be fixed by end users due to explicit version requirements from transitive dependencies
Fix requires updating the dependencies in react-simple-chatbot to use newer versions of chokidar and micromatch that support braces >= 3.0.3
the bug
The current version of react-simple-chatbot (0.6.1) includes a security vulnerability through transitive dependencies that use an older version of 'braces' (< 3.0.3), identified as CVE-2024-4068. This vulnerability allows potential DoS attacks through uncontrolled resource consumption.
To Reproduce
Steps to reproduce the behavior:
npm auditor check GitHub's Dependabot alertsExpected behavior
Dependencies should use braces >= 3.0.3 to prevent the vulnerability (CVE-2024-4068).
Additional context