search

chimurai / http-proxy-middleware

:zap: The one-liner node.js http-proxy middleware for connect, express, next.js and more
MIT License
10.6k stars 828 forks source link

micromatch vulnerable at v4.0.5 #1004

Closed benjsmi closed 1 month ago

benjsmi commented 1 month ago

Describe the feature you'd love to see

https://github.com/chimurai/http-proxy-middleware/blob/master/package.json#L93

micromatch is vulnerable at v4.0.5 as per https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-4067. To me, it doesn't look like they are going to cut a new release -- their last commit was in 2019.

So this is a feature request to move to a different matching package -- one that is maintained more regularly or at least isn't vulnerable to this CVE.

Additional context (optional)

No response

chimurai commented 1 month ago

Thanks for the report.

To get some facts right: micromatch last commit dates 2 months ago (March 28th 2024) (not 2019 like you mentioned). See commit: https://github.com/micromatch/micromatch/commit/6b3526fcb328026aa1f02cc07b18fa4ef70e014a

Please follow threads in micromatch with ongoing updates:

A fix has landed in micromatch/braces and will be released in 3.0.3

Suggestion is to monitor the upstream progress. And update your transitive packages as soon as the fix has been released.

paulmillr commented 1 month ago

There is NO vulnerability: https://github.com/micromatch/braces/pull/37#issuecomment-2121649614

chimurai commented 1 month ago

To resolve the issue, update your package lockfile to micromatch@4.0.6 or higher.