http-proxy-middleware icon indicating copy to clipboard operation
http-proxy-middleware copied to clipboard

Published 20 hours ago verified publisher icon chimurai

micromatch vulnerable at v4.0.5

Open benjsmi opened this issue 1 year ago • 2 comments

Describe the feature you'd love to see

https://github.com/chimurai/http-proxy-middleware/blob/master/package.json#L93

micromatch is vulnerable at v4.0.5 as per https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-4067. To me, it doesn't look like they are going to cut a new release -- their last commit was in 2019.

So this is a feature request to move to a different matching package -- one that is maintained more regularly or at least isn't vulnerable to this CVE.

Additional context (optional)

No response

benjsmi avatar May 16 '24 14:05 benjsmi

Thanks for the report.

To get some facts right: micromatch last commit dates 2 months ago (March 28th 2024) (not 2019 like you mentioned). See commit: https://github.com/micromatch/micromatch/commit/6b3526fcb328026aa1f02cc07b18fa4ef70e014a

Please follow threads in micromatch with ongoing updates:

  • https://github.com/micromatch/micromatch/issues/243
  • https://github.com/micromatch/micromatch/issues/254

A fix has landed in micromatch/braces and will be released in 3.0.3

  • https://github.com/micromatch/braces/pull/37
  • https://github.com/micromatch/braces/issues/36#issuecomment-2118450599

Suggestion is to monitor the upstream progress. And update your transitive packages as soon as the fix has been released.

chimurai avatar May 19 '24 09:05 chimurai

There is NO vulnerability: https://github.com/micromatch/braces/pull/37#issuecomment-2121649614

paulmillr avatar May 21 '24 03:05 paulmillr

To resolve the issue, update your package lockfile to [email protected] or higher.

chimurai avatar May 22 '24 20:05 chimurai