Security Issue: Transitive Dependency Braces 3.0.2

dsherret / ts-morph

TypeScript Compiler API wrapper for static analysis and programmatic code changes.

https://ts-morph.com

MIT License

5k stars 195 forks source link

Security Issue: Transitive Dependency Braces 3.0.2 #1535

Closed tomfrenken closed 4 months ago

tomfrenken commented 6 months ago

Describe the bug

Version: 22.0.0

Hey all,

Our pipeline is failing due to a security vulnerability in one of your transitive dependencies, braces version 3.0.2. Could you please resolve the issue?

tomfrenken commented 6 months ago

Dependency tree for reference:

dsherret commented 4 months ago

Can you provide more details? Does purging your lockfile to get braces 3.0.3 solve the issue?

dsherret commented 4 months ago

The NPM package braces fails to limit the number of characters it can handle, which could lead to Memory Exhaustion. In lib/parse.js, if a malicious user sends "imbalanced braces" as input, the parsing will enter a loop, which will cause the program to start allocating heap memory without freeing it at any moment of the loop. Eventually, the JavaScript heap limit is reached, and the program will crash.

Ah, yeah just bump it in your project to 3.0.3