sgravrock
commented
1 year ago That error doesn't reproduce in a fresh install of Jasmine:
$ cat package.json
{
"devDependencies": {
"jasmine": "^4.6.0"
}
}
$ npm ls minimatch
/private/tmp/jd
└─┬ jasmine@4.6.0
└─┬ glob@7.2.3
└── minimatch@3.1.2
$ npm audit
=== npm audit security report ===
found 0 vulnerabilities
in 13 scanned packagesIf you're getting it, that probably means that something other than Jasmine is pinning minimatch to an old version. It could be that you have another dependency that requries minimatch <3.0.5, or it could be pinned via your lockfile. Try removing your lockfile, checking anything else that depends on minimatch, and doing a fresh npm install.
In any case, there's no vulnerability here. The only way for an attacker to exploit the flaw in minimatch is if they can control either the Jasmine configuration file or the arguments to the jasmine command. Someone with that ability can already run arbitrary code, so they can do whatever nastiness they want directly rather than having to rely on ReDOS vulnerabiliites.
Unfortunately, npm audit produces a lot of false positives for developer tools. See https://overreacted.io/npm-audit-broken-by-design/.
The only way for Jasmine to actually forbid minimatch <3.0.5, as opposed to just allowing >=3.0.5, is to depend on glob 8 or later. That's already been done in jasmine 5.0.0-alpha.0. The dependency change can't be backported to Jasmine 4.x because it involves breaking changes to how file globs are interpreted on Windows.
Steps to Reproduce
By running 'npm audit' on jasmine project
Expected Behavior
Jasmine sub dependency minimatch is giving the vulnerability and it is expecting minimatch version under jasmine to be >=3.0.5
Actual Behavior
Example code that reproduces the problem
Possible Solution
Updating minimatch under jasmine to version >=3.0.5
Context
No response
jasmine-core version
4.6.0
Versions of other relevant packages
No response
Node.js or browser version
14.21.2
Operating System
MacOS