search

remy / nodemon

Monitor for any changes in your node.js application and automatically restart the server - perfect for development
http://nodemon.io/
MIT License
26.13k stars 1.72k forks source link

[CVE-2024-4068] Uncontrolled resource consumption found in braces - Question #2210

Closed tomkdgun closed 1 month ago

tomkdgun commented 1 month ago

Regarding https://github.com/remy/nodemon/issues/2203

The braces released new version 3.0.3 with different default limits: https://github.com/micromatch/braces/commit/415d660c3002d1ab7e63dbf490c9851da80596ff

Are there any plans to perform npm audit fix, to make CVE scanners happy ?

Background:

Snyk reported a vulnerability in the nodemon 3.1.0 dependency.

Issues with no direct upgrade or patch: 11:08:29 ✗ Uncontrolled resource consumption [High Severity][https://security.snyk.io/vuln/SNYK-JS-BRACES-6838727] in braces@3.0.2 11:08:29 introduced by nodemon@3.1.0 > chokidar@3.5.3 > braces@3.0.2 11:08:29 No upgrade or patch available

https://security.snyk.io/vuln/SNYK-JS-BRACES-6838727

remy commented 1 month ago

If 3.0.3 is out, why would there be an npm audit fix? Purge your node_modules and reinstall, you'll pick up the latest patch.

tomkdgun commented 4 weeks ago

@remy The npm audit fix will update the package-lock.json entry for nodemon https://github.com/remy/nodemon/blob/main/package-lock.json#L1480