search

cheton / browserify-css

A Browserify transform for bundling, rebasing, inlining, and minifying CSS files.
http://cheton.github.io/browserify-css/
MIT License
144 stars 22 forks source link

Security: Update `find-node-modules` to resolve `braces` vulnerability #66

Closed G-Rath closed 5 years ago

G-Rath commented 5 years ago

Low Regular Expression Denial of Service

Package braces

Patched in >=2.3.1

Dependency of browserify-css [dev]

Path browserify-css > find-node-modules > findup-sync >
micromatch > braces

More info https://npmjs.com/advisories/786

I have made an comment requesting a new version of micromatch@2.x.x be released with an update to the braces dependency, which might happen and thus resolve this.

However, ideally browserify-css should update find-node-modules to v2.0.0, to resolve this security vulnerability.

AsinusRex commented 5 years ago

Also hoping for a dependency version bump up to get rid of the vulnerability. Doing it by hand introduces a whole new process to deployment.