jest-environment-enzyme has vulnerability in dependencies

[serhiyzablotskiy]

Hi. I have an issue with dependencies of jest-environment-enzyme. In the latest version 7.0.1 there is dependency from jest-environment-jsdom@^22.4.1. And this version of jest-environment-jsdom is deeply dependent from the braces package. Here is reported vulnerability in braces package in versions earlier then v2.3.1 https://www.npmjs.com/advisories/786. But jest-environment-jsdom@^22.4. refers to [braces] version before 2.3.1. Here is my dependencies tree: https://cl.ly/37ce31a3e08c.

This issue is fixed in jest-environment-jsdom v23.4.0 and higher.

Can you use jest-environment-jsdom v23.4.0 and higher?

[tgaff]

I spent a little time looking into this today. Jumping to jest-environment-jsdom 23 doesn't quite work because they rolled back braces here: https://github.com/facebook/jest/pull/6661

So I tried jumping to version 24.x here: https://github.com/tgaff/enzyme-matchers/tree/fix_braces_security_warning