Closed benjsmi closed 1 month ago
Thanks for the report.
To get some facts right:
micromatch
last commit dates 2 months ago (March 28th 2024) (not 2019 like you mentioned).
See commit: https://github.com/micromatch/micromatch/commit/6b3526fcb328026aa1f02cc07b18fa4ef70e014a
Please follow threads in micromatch
with ongoing updates:
A fix has landed in micromatch/braces
and will be released in 3.0.3
Suggestion is to monitor the upstream progress. And update your transitive packages as soon as the fix has been released.
There is NO vulnerability: https://github.com/micromatch/braces/pull/37#issuecomment-2121649614
To resolve the issue, update your package lockfile
to micromatch@4.0.6
or higher.
Describe the feature you'd love to see
https://github.com/chimurai/http-proxy-middleware/blob/master/package.json#L93
micromatch
is vulnerable at v4.0.5 as per https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-4067. To me, it doesn't look like they are going to cut a new release -- their last commit was in 2019.So this is a feature request to move to a different matching package -- one that is maintained more regularly or at least isn't vulnerable to this CVE.
Additional context (optional)
No response