nilsel
commented
1 month ago Sorry, I may have been too eager on this one, after deleting package-lock.json and running npm i react-docgen-typescript-plugin@latest (we had ^1.0.5 in package.json), @latest got us to ^1.0.8, which in turn installed braces@3.0.3.
Something something lockfile π
π€¦
storybook@ /Users/me/some-dir/storeblocks
βββ¬ react-docgen-typescript-plugin@1.0.8
β βββ¬ micromatch@4.0.7
β βββ braces@3.0.3
βββ¬ typescript-plugin-css-modules@5.1.0
βββ¬ sass@1.77.8
βββ¬ chokidar@3.6.0
βββ braces@3.0.3 dedupedVersions/tools used (nx report):
Node : 20.14.0
OS : darwin-arm64
Native Target : aarch64-macos
npm : 10.7.0
nx : 19.5.4
lerna : 8.1.7
@nx/devkit : 19.5.4
@nrwl/tao : 19.5.4
typescript : 5.0.4
Stumbled across this on a react-project: braces@3.0.2 has a bug: CVE-2024-4068 which could lead to OOM errors (apparently not easy to trigger, but I managed to do it somehow). braces@3.0.2 was used in micromatch@4.0.5.
Couldn't find any mentions of either micromatch or braces in issues/PR's.
This was pretty deep down in our monorepo dependency graph π :
Error trace (snipped):
Micromatch@4.0.6 commit which updated braces to 3.0.3: https://github.com/micromatch/micromatch/commit/92d490dd23da0d02bdc2414ed3929a185a464218
I'm no expert on react-docgen-typescript-plugin (or TS in general), so if I'm wrong you may just close this. Also I'm not sure if
@types/micromatchshould be updated also.Anyhow, thanks for creating and open sourcing this package β€οΈ