Uncontrolled resource consumption in braces - https://github.com/advisories/GHSA-grv7-fg5c-xmjg

tailwindlabs / tailwindcss

A utility-first CSS framework for rapid UI development.

https://tailwindcss.com/

MIT License

82.71k stars 4.19k forks source link

Uncontrolled resource consumption in braces - https://github.com/advisories/GHSA-grv7-fg5c-xmjg #13832

Closed bot2x closed 4 months ago

bot2x commented 4 months ago

What version of Tailwind CSS are you using?

For example: v3.4.3

What build tool (or framework if it abstracts the build tool) are you using?

For example: next@14.1.4, postcss@8.4.38

Describe your issue

My npm audit reported:

braces <3.0.3 Severity: high Uncontrolled resource consumption in braces - https://github.com/advisories/GHSA-grv7-fg5c-xmjg

Result of "npm ls braces" └─┬ tailwindcss@3.4.3 ├─┬ chokidar@3.6.0 │ └── braces@3.0.2 └─┬ micromatch@4.0.5 └── braces@3.0.2 deduped

Checked the version 3.4.4 which still uses braces 3.0.2.

As per this, the issue is noticed in versions prior to 3.0.3. Also, this has fixed the issue in braces 3.0.3

thecrypticace commented 4 months ago

You can run npm audit fix to address this in your project. Nothing in Tailwind CSS requires an earlier version and if you perform a fresh install of the latest version you'll get v3.0.3 of braces:

KNHui commented 4 months ago

I use yarn as a package manager. But yarn doesn't provide audit command, so I solved it in the following way:

Generate a package-lock.json file without installing node modules
```
npm i --package-lock-only
```
Fix the packages and update the package-lock.json file
```
npm audit fix
```
Delete the yarn.lock file and convert package-lock.json file into yarn.lock
```
rm yarn.lock
yarn import # or yarn install
```
Delete the package-lock.json file
```
rm package-lock.json
```

*refs: Alternatives to npm audit for yarn, yarn import