robot-inventor / astro-custom-toc Goto Github PK
View Code? Open in Web Editor NEWAstro Integration to generate a customizable table of contents
License: MIT License
Astro Integration to generate a customizable table of contents
License: MIT License
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/micromatch/package.json,/package.json
Found in HEAD commit: 0c79c56ad18cc8e1dc661800e3de79078208a4cd
CVE | Severity | Dependency | Type | Fixed in (astro version) | Remediation Possible** | |
---|---|---|---|---|---|---|
CVE-2024-4068 | 7.5 | braces-3.0.2.tgz | Transitive | N/A* | ❌ | |
CVE-2024-4067 | 7.5 | micromatch-4.0.5.tgz | Transitive | N/A* | ❌ |
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Bash-like brace expansion, implemented in JavaScript. Safer than other brace expansion libs, with complete support for the Bash 4.3 braces specification, without sacrificing speed.
Library home page: https://registry.npmjs.org/braces/-/braces-3.0.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/braces/package.json,/package.json
Dependency Hierarchy:
Found in HEAD commit: 0c79c56ad18cc8e1dc661800e3de79078208a4cd
Found in base branch: main
The NPM package braces
fails to limit the number of characters it can handle, which could lead to Memory Exhaustion. In lib/parse.js,
if a malicious user sends "imbalanced braces" as input, the parsing will enter a loop, which will cause the program to start allocating heap memory without freeing it at any moment of the loop. Eventually, the JavaScript heap limit is reached, and the program will crash.
Publish Date: 2024-05-14
URL: CVE-2024-4068
Base Score Metrics:
Step up your Open Source Security Game with Mend here
Glob matching for javascript/node.js. A replacement and faster alternative to minimatch and multimatch.
Library home page: https://registry.npmjs.org/micromatch/-/micromatch-4.0.5.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/micromatch/package.json,/package.json
Dependency Hierarchy:
Found in HEAD commit: 0c79c56ad18cc8e1dc661800e3de79078208a4cd
Found in base branch: main
The NPM package micromatch
is vulnerable to Regular Expression Denial of Service (ReDoS). The vulnerability occurs in micromatch.braces()
in index.js
because the pattern .*
will greedily match anything. By passing a malicious payload, the pattern matching will keep backtracking to the input while it doesn't find the closing bracket. As the input size increases, the consumption time will also increase until it causes the application to hang or slow down. There was a merged fix but further testing shows the issue persists. This issue should be mitigated by using a safe pattern that won't start backtracking the regular expression due to greedy matching.
Publish Date: 2024-05-14
URL: CVE-2024-4067
Base Score Metrics:
Step up your Open Source Security Game with Mend here
Path to dependency file: /package.json
Path to vulnerable library: /package.json,/node_modules/micromatch/package.json
Found in HEAD commit: ca05458d3f1e3a2d4c9d52fdbc983ab2eeaf5e80
CVE | Severity | Dependency | Type | Fixed in (astro version) | Remediation Possible** | |
---|---|---|---|---|---|---|
CVE-2024-4068 | 7.5 | braces-3.0.2.tgz | Transitive | N/A* | ❌ | |
CVE-2024-4067 | 5.3 | micromatch-4.0.5.tgz | Transitive | N/A* | ❌ |
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Bash-like brace expansion, implemented in JavaScript. Safer than other brace expansion libs, with complete support for the Bash 4.3 braces specification, without sacrificing speed.
Library home page: https://registry.npmjs.org/braces/-/braces-3.0.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json,/node_modules/braces/package.json
Dependency Hierarchy:
Found in HEAD commit: ca05458d3f1e3a2d4c9d52fdbc983ab2eeaf5e80
Found in base branch: main
The NPM package braces
, versions prior to 3.0.3, fails to limit the number of characters it can handle, which could lead to Memory Exhaustion. In lib/parse.js,
if a malicious user sends "imbalanced braces" as input, the parsing will enter a loop, which will cause the program to start allocating heap memory without freeing it at any moment of the loop. Eventually, the JavaScript heap limit is reached, and the program will crash.
Mend Note: After conducting a further research, it was concluded that CVE-2024-4068 does not contain a high security risk that reflects the NVD score, but should be kept for users' awareness. Users of braces should follow the fix recommendation as noted.
Publish Date: 2024-05-14
URL: CVE-2024-4068
Base Score Metrics:
Type: Upgrade version
Release Date: 2024-05-14
Fix Resolution: braces - 3.0.3
Step up your Open Source Security Game with Mend here
Glob matching for javascript/node.js. A replacement and faster alternative to minimatch and multimatch.
Library home page: https://registry.npmjs.org/micromatch/-/micromatch-4.0.5.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json,/node_modules/micromatch/package.json
Dependency Hierarchy:
Found in HEAD commit: ca05458d3f1e3a2d4c9d52fdbc983ab2eeaf5e80
Found in base branch: main
The NPM package micromatch
is vulnerable to Regular Expression Denial of Service (ReDoS). The vulnerability occurs in micromatch.braces()
in index.js
because the pattern .*
will greedily match anything. By passing a malicious payload, the pattern matching will keep backtracking to the input while it doesn't find the closing bracket. As the input size increases, the consumption time will also increase until it causes the application to hang or slow down. There was a merged fix but further testing shows the issue persists. This issue should be mitigated by using a safe pattern that won't start backtracking the regular expression due to greedy matching.
Mend Note: After conducting a further research, it was concluded that CVE-2024-4067 does not contain a high security risk that reflects the NVD score, but should be kept for users' awareness. Users of micromatch should follow the fix recommendation as noted.
Publish Date: 2024-05-14
URL: CVE-2024-4067
Base Score Metrics:
Type: Upgrade version
Release Date: 2024-05-14
Fix Resolution: micromatch - 4.0.6
Step up your Open Source Security Game with Mend here
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/micromatch/package.json
Found in HEAD commit: 92230fc4c0a192d2f3d70df513d9a9bf7a93512d
CVE | Severity | Dependency | Type | Fixed in (astro version) | Remediation Possible** | |
---|---|---|---|---|---|---|
CVE-2024-4067 | 5.3 | micromatch-4.0.5.tgz | Transitive | N/A* | ❌ |
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Glob matching for javascript/node.js. A replacement and faster alternative to minimatch and multimatch.
Library home page: https://registry.npmjs.org/micromatch/-/micromatch-4.0.5.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/micromatch/package.json
Dependency Hierarchy:
Found in HEAD commit: 92230fc4c0a192d2f3d70df513d9a9bf7a93512d
Found in base branch: main
The NPM package micromatch
is vulnerable to Regular Expression Denial of Service (ReDoS). The vulnerability occurs in micromatch.braces()
in index.js
because the pattern .*
will greedily match anything. By passing a malicious payload, the pattern matching will keep backtracking to the input while it doesn't find the closing bracket. As the input size increases, the consumption time will also increase until it causes the application to hang or slow down. There was a merged fix but further testing shows the issue persists. This issue should be mitigated by using a safe pattern that won't start backtracking the regular expression due to greedy matching.
Mend Note: After conducting a further research, it was concluded that CVE-2024-4067 does not contain a high security risk that reflects the NVD score, but should be kept for users' awareness. Users of micromatch should follow the fix recommendation as noted.
Publish Date: 2024-05-14
URL: CVE-2024-4067
Base Score Metrics:
Type: Upgrade version
Release Date: 2024-05-14
Fix Resolution: micromatch - 4.0.6
Step up your Open Source Security Game with Mend here
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/micromatch/package.json
Found in HEAD commit: d2bf828b9d0161cbe4a2e7e66534427e144459ca
CVE | Severity | Dependency | Type | Fixed in (astro version) | Remediation Possible** | |
---|---|---|---|---|---|---|
CVE-2024-4068 | 7.5 | braces-3.0.2.tgz | Transitive | N/A* | ❌ | |
CVE-2024-4067 | 5.3 | micromatch-4.0.5.tgz | Transitive | N/A* | ❌ |
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Bash-like brace expansion, implemented in JavaScript. Safer than other brace expansion libs, with complete support for the Bash 4.3 braces specification, without sacrificing speed.
Library home page: https://registry.npmjs.org/braces/-/braces-3.0.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/braces/package.json
Dependency Hierarchy:
Found in HEAD commit: d2bf828b9d0161cbe4a2e7e66534427e144459ca
Found in base branch: main
The NPM package braces
, versions prior to 3.0.3, fails to limit the number of characters it can handle, which could lead to Memory Exhaustion. In lib/parse.js,
if a malicious user sends "imbalanced braces" as input, the parsing will enter a loop, which will cause the program to start allocating heap memory without freeing it at any moment of the loop. Eventually, the JavaScript heap limit is reached, and the program will crash.
Mend Note: After conducting a further research, it was concluded that CVE-2024-4068 does not contain a high security risk that reflects the NVD score, but should be kept for users' awareness. Users of braces should follow the fix recommendation as noted.
Publish Date: 2024-05-14
URL: CVE-2024-4068
Base Score Metrics:
Type: Upgrade version
Release Date: 2024-05-14
Fix Resolution: braces - 3.0.3
Step up your Open Source Security Game with Mend here
Glob matching for javascript/node.js. A replacement and faster alternative to minimatch and multimatch.
Library home page: https://registry.npmjs.org/micromatch/-/micromatch-4.0.5.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/micromatch/package.json
Dependency Hierarchy:
Found in HEAD commit: d2bf828b9d0161cbe4a2e7e66534427e144459ca
Found in base branch: main
The NPM package micromatch
is vulnerable to Regular Expression Denial of Service (ReDoS). The vulnerability occurs in micromatch.braces()
in index.js
because the pattern .*
will greedily match anything. By passing a malicious payload, the pattern matching will keep backtracking to the input while it doesn't find the closing bracket. As the input size increases, the consumption time will also increase until it causes the application to hang or slow down. There was a merged fix but further testing shows the issue persists. This issue should be mitigated by using a safe pattern that won't start backtracking the regular expression due to greedy matching.
Mend Note: After conducting a further research, it was concluded that CVE-2024-4067 does not contain a high security risk that reflects the NVD score, but should be kept for users' awareness. Users of micromatch should follow the fix recommendation as noted.
Publish Date: 2024-05-14
URL: CVE-2024-4067
Base Score Metrics:
Type: Upgrade version
Release Date: 2024-05-14
Fix Resolution: micromatch - 4.0.6
Step up your Open Source Security Game with Mend here
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/micromatch/package.json
Found in HEAD commit: a7285c6b562ebc919b5dac918e48f239d82961c2
CVE | Severity | Dependency | Type | Fixed in (astro version) | Remediation Possible** | |
---|---|---|---|---|---|---|
CVE-2024-4068 | 7.5 | braces-3.0.2.tgz | Transitive | N/A* | ❌ | |
CVE-2024-4067 | 5.3 | micromatch-4.0.5.tgz | Transitive | N/A* | ❌ |
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Bash-like brace expansion, implemented in JavaScript. Safer than other brace expansion libs, with complete support for the Bash 4.3 braces specification, without sacrificing speed.
Library home page: https://registry.npmjs.org/braces/-/braces-3.0.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/braces/package.json
Dependency Hierarchy:
Found in HEAD commit: a7285c6b562ebc919b5dac918e48f239d82961c2
Found in base branch: main
The NPM package braces
, versions prior to 3.0.3, fails to limit the number of characters it can handle, which could lead to Memory Exhaustion. In lib/parse.js,
if a malicious user sends "imbalanced braces" as input, the parsing will enter a loop, which will cause the program to start allocating heap memory without freeing it at any moment of the loop. Eventually, the JavaScript heap limit is reached, and the program will crash.
Mend Note: After conducting a further research, it was concluded that CVE-2024-4068 does not contain a high security risk that reflects the NVD score, but should be kept for users' awareness. Users of braces should follow the fix recommendation as noted.
Publish Date: 2024-05-14
URL: CVE-2024-4068
Base Score Metrics:
Type: Upgrade version
Release Date: 2024-05-14
Fix Resolution: braces - 3.0.3
Step up your Open Source Security Game with Mend here
Glob matching for javascript/node.js. A replacement and faster alternative to minimatch and multimatch.
Library home page: https://registry.npmjs.org/micromatch/-/micromatch-4.0.5.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/micromatch/package.json
Dependency Hierarchy:
Found in HEAD commit: a7285c6b562ebc919b5dac918e48f239d82961c2
Found in base branch: main
The NPM package micromatch
is vulnerable to Regular Expression Denial of Service (ReDoS). The vulnerability occurs in micromatch.braces()
in index.js
because the pattern .*
will greedily match anything. By passing a malicious payload, the pattern matching will keep backtracking to the input while it doesn't find the closing bracket. As the input size increases, the consumption time will also increase until it causes the application to hang or slow down. There was a merged fix but further testing shows the issue persists. This issue should be mitigated by using a safe pattern that won't start backtracking the regular expression due to greedy matching.
Mend Note: After conducting a further research, it was concluded that CVE-2024-4067 does not contain a high security risk that reflects the NVD score, but should be kept for users' awareness. Users of micromatch should follow the fix recommendation as noted.
Publish Date: 2024-05-14
URL: CVE-2024-4067
Base Score Metrics:
Type: Upgrade version
Release Date: 2024-05-14
Fix Resolution: micromatch - 4.0.6
Step up your Open Source Security Game with Mend here
If the heading already has an id set by another plugin, use it; otherwise, set the id.
Path to dependency file: /package.json
Path to vulnerable library: /package.json,/node_modules/micromatch/package.json
Found in HEAD commit: d872cb87f87327acc89ddc0bb0bc64b2a3b060f3
CVE | Severity | Dependency | Type | Fixed in (astro version) | Remediation Possible** | |
---|---|---|---|---|---|---|
CVE-2024-4068 | 7.5 | braces-3.0.2.tgz | Transitive | N/A* | ❌ | |
CVE-2024-4067 | 5.3 | micromatch-4.0.5.tgz | Transitive | N/A* | ❌ |
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Bash-like brace expansion, implemented in JavaScript. Safer than other brace expansion libs, with complete support for the Bash 4.3 braces specification, without sacrificing speed.
Library home page: https://registry.npmjs.org/braces/-/braces-3.0.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json,/node_modules/braces/package.json
Dependency Hierarchy:
Found in HEAD commit: d872cb87f87327acc89ddc0bb0bc64b2a3b060f3
Found in base branch: main
The NPM package braces
, versions prior to 3.0.3, fails to limit the number of characters it can handle, which could lead to Memory Exhaustion. In lib/parse.js,
if a malicious user sends "imbalanced braces" as input, the parsing will enter a loop, which will cause the program to start allocating heap memory without freeing it at any moment of the loop. Eventually, the JavaScript heap limit is reached, and the program will crash.
Mend Note: After conducting a further research, it was concluded that CVE-2024-4068 does not contain a high security risk that reflects the NVD score, but should be kept for users' awareness. Users of braces should follow the fix recommendation as noted.
Publish Date: 2024-05-14
URL: CVE-2024-4068
Base Score Metrics:
Type: Upgrade version
Release Date: 2024-05-14
Fix Resolution: braces - 3.0.3
Step up your Open Source Security Game with Mend here
Glob matching for javascript/node.js. A replacement and faster alternative to minimatch and multimatch.
Library home page: https://registry.npmjs.org/micromatch/-/micromatch-4.0.5.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json,/node_modules/micromatch/package.json
Dependency Hierarchy:
Found in HEAD commit: d872cb87f87327acc89ddc0bb0bc64b2a3b060f3
Found in base branch: main
The NPM package micromatch
is vulnerable to Regular Expression Denial of Service (ReDoS). The vulnerability occurs in micromatch.braces()
in index.js
because the pattern .*
will greedily match anything. By passing a malicious payload, the pattern matching will keep backtracking to the input while it doesn't find the closing bracket. As the input size increases, the consumption time will also increase until it causes the application to hang or slow down. There was a merged fix but further testing shows the issue persists. This issue should be mitigated by using a safe pattern that won't start backtracking the regular expression due to greedy matching.
Mend Note: After conducting a further research, it was concluded that CVE-2024-4067 does not contain a high security risk that reflects the NVD score, but should be kept for users' awareness. Users of micromatch should follow the fix recommendation as noted.
Publish Date: 2024-05-14
URL: CVE-2024-4067
Base Score Metrics:
Type: Upgrade version
Release Date: 2024-05-14
Fix Resolution: micromatch - 4.0.6
Step up your Open Source Security Game with Mend here
.npmrc
package-lock.json
and run npm install
This issue lists Renovate updates and detected dependencies. Read the Dependency Dashboard docs to learn more.
These updates have all been created already. Click a checkbox below to force a retry/rebase of any.
.github/workflows/format.yml
actions/checkout v4
actions/setup-node v4
.github/workflows/lint.yml
actions/checkout v4
actions/setup-node v4
.github/workflows/release.yml
actions/checkout v4
actions/setup-node v4
changesets/action v1
package.json
@astrojs/markdown-remark ^5.1.0
@types/hast ^3.0.4
astro ^4.5.17
hast-util-from-html ^2.0.1
hast-util-to-html ^9.0.1
hastscript ^9.0.0
remark-comment ^1.0.0
typescript ^5.3.3
unified ^11.0.4
unist-util-visit ^5.0.0
@changesets/changelog-github ^0.5.0
@changesets/cli ^2.27.1
@robot-inventor/eslint-config ^0.2.0
eslint ^9.0.0
prettier ^3.2.5
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Found in HEAD commit: e6d1a7529aed4517fe0228c2e3fc1ac7e5a089dd
CVE | Severity | Dependency | Type | Fixed in (astro version) | Remediation Possible** | |
---|---|---|---|---|---|---|
CVE-2024-4067 | 5.3 | micromatch-4.0.5.tgz | Transitive | N/A* | ❌ |
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Glob matching for javascript/node.js. A replacement and faster alternative to minimatch and multimatch.
Library home page: https://registry.npmjs.org/micromatch/-/micromatch-4.0.5.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in HEAD commit: e6d1a7529aed4517fe0228c2e3fc1ac7e5a089dd
Found in base branch: main
The NPM package micromatch
is vulnerable to Regular Expression Denial of Service (ReDoS). The vulnerability occurs in micromatch.braces()
in index.js
because the pattern .*
will greedily match anything. By passing a malicious payload, the pattern matching will keep backtracking to the input while it doesn't find the closing bracket. As the input size increases, the consumption time will also increase until it causes the application to hang or slow down. There was a merged fix but further testing shows the issue persists. This issue should be mitigated by using a safe pattern that won't start backtracking the regular expression due to greedy matching.
Mend Note: After conducting a further research, it was concluded that CVE-2024-4067 does not contain a high security risk that reflects the NVD score, but should be kept for users' awareness. Users of micromatch should follow the fix recommendation as noted.
Publish Date: 2024-05-14
URL: CVE-2024-4067
Base Score Metrics:
Type: Upgrade version
Release Date: 2024-05-14
Fix Resolution: micromatch - 4.0.6
Step up your Open Source Security Game with Mend here
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Found in HEAD commit: d17145118a2b893e2e6bc16416eb7bc1810fa909
CVE | Severity | Dependency | Type | Fixed in (astro version) | Remediation Possible** | |
---|---|---|---|---|---|---|
CVE-2024-4068 | 7.5 | braces-3.0.2.tgz | Transitive | N/A* | ❌ | |
CVE-2024-4067 | 5.3 | micromatch-4.0.5.tgz | Transitive | N/A* | ❌ |
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Bash-like brace expansion, implemented in JavaScript. Safer than other brace expansion libs, with complete support for the Bash 4.3 braces specification, without sacrificing speed.
Library home page: https://registry.npmjs.org/braces/-/braces-3.0.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in HEAD commit: d17145118a2b893e2e6bc16416eb7bc1810fa909
Found in base branch: main
The NPM package braces
, versions prior to 3.0.3, fails to limit the number of characters it can handle, which could lead to Memory Exhaustion. In lib/parse.js,
if a malicious user sends "imbalanced braces" as input, the parsing will enter a loop, which will cause the program to start allocating heap memory without freeing it at any moment of the loop. Eventually, the JavaScript heap limit is reached, and the program will crash.
Mend Note: After conducting a further research, it was concluded that CVE-2024-4068 does not contain a high security risk that reflects the NVD score, but should be kept for users' awareness. Users of braces should follow the fix recommendation as noted.
Publish Date: 2024-05-14
URL: CVE-2024-4068
Base Score Metrics:
Type: Upgrade version
Release Date: 2024-05-14
Fix Resolution: braces - 3.0.3
Step up your Open Source Security Game with Mend here
Glob matching for javascript/node.js. A replacement and faster alternative to minimatch and multimatch.
Library home page: https://registry.npmjs.org/micromatch/-/micromatch-4.0.5.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in HEAD commit: d17145118a2b893e2e6bc16416eb7bc1810fa909
Found in base branch: main
The NPM package micromatch
is vulnerable to Regular Expression Denial of Service (ReDoS). The vulnerability occurs in micromatch.braces()
in index.js
because the pattern .*
will greedily match anything. By passing a malicious payload, the pattern matching will keep backtracking to the input while it doesn't find the closing bracket. As the input size increases, the consumption time will also increase until it causes the application to hang or slow down. There was a merged fix but further testing shows the issue persists. This issue should be mitigated by using a safe pattern that won't start backtracking the regular expression due to greedy matching.
Mend Note: After conducting a further research, it was concluded that CVE-2024-4067 does not contain a high security risk that reflects the NVD score, but should be kept for users' awareness. Users of micromatch should follow the fix recommendation as noted.
Publish Date: 2024-05-14
URL: CVE-2024-4067
Base Score Metrics:
Type: Upgrade version
Release Date: 2024-05-14
Fix Resolution: micromatch - 4.0.6
Step up your Open Source Security Game with Mend here
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/micromatch/package.json
CVE | Severity | Dependency | Type | Fixed in (astro version) | Remediation Possible** | |
---|---|---|---|---|---|---|
CVE-2024-4068 | 7.5 | braces-3.0.2.tgz | Transitive | N/A* | ❌ | |
CVE-2024-4067 | 7.5 | micromatch-4.0.5.tgz | Transitive | N/A* | ❌ |
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Bash-like brace expansion, implemented in JavaScript. Safer than other brace expansion libs, with complete support for the Bash 4.3 braces specification, without sacrificing speed.
Library home page: https://registry.npmjs.org/braces/-/braces-3.0.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/braces/package.json
Dependency Hierarchy:
Found in base branch: main
The NPM package braces
fails to limit the number of characters it can handle, which could lead to Memory Exhaustion. In lib/parse.js,
if a malicious user sends "imbalanced braces" as input, the parsing will enter a loop, which will cause the program to start allocating heap memory without freeing it at any moment of the loop. Eventually, the JavaScript heap limit is reached, and the program will crash.
Publish Date: 2024-05-14
URL: CVE-2024-4068
Base Score Metrics:
Step up your Open Source Security Game with Mend here
Glob matching for javascript/node.js. A replacement and faster alternative to minimatch and multimatch.
Library home page: https://registry.npmjs.org/micromatch/-/micromatch-4.0.5.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/micromatch/package.json
Dependency Hierarchy:
Found in base branch: main
The NPM package micromatch
is vulnerable to Regular Expression Denial of Service (ReDoS). The vulnerability occurs in micromatch.braces()
in index.js
because the pattern .*
will greedily match anything. By passing a malicious payload, the pattern matching will keep backtracking to the input while it doesn't find the closing bracket. As the input size increases, the consumption time will also increase until it causes the application to hang or slow down. There was a merged fix but further testing shows the issue persists. This issue should be mitigated by using a safe pattern that won't start backtracking the regular expression due to greedy matching.
Publish Date: 2024-05-14
URL: CVE-2024-4067
Base Score Metrics:
Step up your Open Source Security Game with Mend here
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/micromatch/package.json,/package.json
Found in HEAD commit: 6f8bf772564de4f738c3c6e73cfbdf8fec03d86b
CVE | Severity | Dependency | Type | Fixed in (astro version) | Remediation Possible** | |
---|---|---|---|---|---|---|
CVE-2024-4068 | 7.5 | braces-3.0.2.tgz | Transitive | N/A* | ❌ | |
CVE-2024-4067 | 7.5 | micromatch-4.0.5.tgz | Transitive | N/A* | ❌ |
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Bash-like brace expansion, implemented in JavaScript. Safer than other brace expansion libs, with complete support for the Bash 4.3 braces specification, without sacrificing speed.
Library home page: https://registry.npmjs.org/braces/-/braces-3.0.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/braces/package.json,/package.json
Dependency Hierarchy:
Found in HEAD commit: 6f8bf772564de4f738c3c6e73cfbdf8fec03d86b
Found in base branch: main
The NPM package braces
fails to limit the number of characters it can handle, which could lead to Memory Exhaustion. In lib/parse.js,
if a malicious user sends "imbalanced braces" as input, the parsing will enter a loop, which will cause the program to start allocating heap memory without freeing it at any moment of the loop. Eventually, the JavaScript heap limit is reached, and the program will crash.
Publish Date: 2024-05-14
URL: CVE-2024-4068
Base Score Metrics:
Step up your Open Source Security Game with Mend here
Glob matching for javascript/node.js. A replacement and faster alternative to minimatch and multimatch.
Library home page: https://registry.npmjs.org/micromatch/-/micromatch-4.0.5.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/micromatch/package.json,/package.json
Dependency Hierarchy:
Found in HEAD commit: 6f8bf772564de4f738c3c6e73cfbdf8fec03d86b
Found in base branch: main
The NPM package micromatch
is vulnerable to Regular Expression Denial of Service (ReDoS). The vulnerability occurs in micromatch.braces()
in index.js
because the pattern .*
will greedily match anything. By passing a malicious payload, the pattern matching will keep backtracking to the input while it doesn't find the closing bracket. As the input size increases, the consumption time will also increase until it causes the application to hang or slow down. There was a merged fix but further testing shows the issue persists. This issue should be mitigated by using a safe pattern that won't start backtracking the regular expression due to greedy matching.
Publish Date: 2024-05-14
URL: CVE-2024-4067
Base Score Metrics:
Step up your Open Source Security Game with Mend here
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Found in HEAD commit: c50e3a6f9d759ba83a57539305fa26bc4b9d0b37
CVE | Severity | Dependency | Type | Fixed in (astro version) | Remediation Possible** | |
---|---|---|---|---|---|---|
CVE-2024-4068 | 7.5 | braces-3.0.2.tgz | Transitive | N/A* | ❌ | |
CVE-2024-4067 | 7.5 | micromatch-4.0.5.tgz | Transitive | N/A* | ❌ |
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Bash-like brace expansion, implemented in JavaScript. Safer than other brace expansion libs, with complete support for the Bash 4.3 braces specification, without sacrificing speed.
Library home page: https://registry.npmjs.org/braces/-/braces-3.0.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in HEAD commit: c50e3a6f9d759ba83a57539305fa26bc4b9d0b37
Found in base branch: main
The NPM package braces
fails to limit the number of characters it can handle, which could lead to Memory Exhaustion. In lib/parse.js,
if a malicious user sends "imbalanced braces" as input, the parsing will enter a loop, which will cause the program to start allocating heap memory without freeing it at any moment of the loop. Eventually, the JavaScript heap limit is reached, and the program will crash.
Mend Note: After conducting a further research, it was concluded that CVE-2024-4068 does not contain a high security risk that reflects the NVD score, but should be kept for users' awareness. Users of braces should follow the fix recommendation as noted.
Publish Date: 2024-05-14
URL: CVE-2024-4068
Base Score Metrics:
Type: Upgrade version
Release Date: 2024-05-14
Fix Resolution: braces - 3.0.3
Step up your Open Source Security Game with Mend here
Glob matching for javascript/node.js. A replacement and faster alternative to minimatch and multimatch.
Library home page: https://registry.npmjs.org/micromatch/-/micromatch-4.0.5.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in HEAD commit: c50e3a6f9d759ba83a57539305fa26bc4b9d0b37
Found in base branch: main
The NPM package micromatch
is vulnerable to Regular Expression Denial of Service (ReDoS). The vulnerability occurs in micromatch.braces()
in index.js
because the pattern .*
will greedily match anything. By passing a malicious payload, the pattern matching will keep backtracking to the input while it doesn't find the closing bracket. As the input size increases, the consumption time will also increase until it causes the application to hang or slow down. There was a merged fix but further testing shows the issue persists. This issue should be mitigated by using a safe pattern that won't start backtracking the regular expression due to greedy matching.
Mend Note: After conducting a further research, it was concluded that CVE-2024-4067 does not contain a high security risk that reflects the NVD score, but should be kept for users' awareness. Users of micromatch should follow the fix recommendation as noted.
Publish Date: 2024-05-14
URL: CVE-2024-4067
Base Score Metrics:
Type: Upgrade version
Release Date: 2024-05-14
Fix Resolution: micromatch - 4.0.6
Step up your Open Source Security Game with Mend here
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.