npm
[BUG] v10 bundled dependency `[email protected]` is vulnerable to ReDoS
Is there an existing issue for this?
- [x] I have searched the existing issues
This issue exists in the latest npm version
- [ ] I am using the latest npm
Current Behavior
When I run npm audit in a project containing npm@10, I see:
# npm audit report
brace-expansion 2.0.0 - 2.0.1
brace-expansion Regular Expression Denial of Service vulnerability - https://github.com/advisories/GHSA-v6h2-p8h4-qcjw
fix available via `npm audit fix`
node_modules/npm/node_modules/brace-expansion
1 low severity vulnerability
To address all issues, run:
npm audit fix
When I run npm audit fix, I see:
npm warn audit fix [email protected] node_modules/npm/node_modules/brace-expansion
npm warn audit fix [email protected] is a bundled dependency of
npm warn audit fix [email protected] [email protected] at node_modules/npm
npm warn audit fix [email protected] It cannot be fixed automatically.
npm warn audit fix [email protected] Check for updates to the npm package.
Expected Behavior
No npm audit findings in npm
Steps To Reproduce
npm install npm@10npm audit
Environment
- npm: 10.9.2
- Node.js: 22.15.1
- OS Name: OS X
- System Model Name: Macbook Pro
- npm config: N/A
It has been unfixed for almost a week.
It's inside minimatch package. currently used version is 9.0.5.
here is my npm ls output: [email protected] └─ [email protected] └─ [email protected] ← vulnerable
Unfortunately, minimatch didn't update deps, v9.0.5 is the latest in v9.x.x. The next version is v10 (which uses brace-expansion v4)
What’s the code path this is used in, though? ReDOS vulns are often false positives when they’re self-attacks.
This issue is producing an unfixable low vulnerability warning also when using [email protected] (current latest):
Steps to reproduce
cd $(mktemp -d)
npm init -y
npm install semantic-release@latest
npm audit fix
Logs
$ npm audit fix
npm warn audit fix [email protected] node_modules/npm/node_modules/brace-expansion
npm warn audit fix [email protected] is a bundled dependency of
npm warn audit fix [email protected] [email protected] at node_modules/npm
npm warn audit fix [email protected] It cannot be fixed automatically.
npm warn audit fix [email protected] Check for updates to the npm package.
up to date, audited 495 packages in 3s
100 packages are looking for funding
run `npm fund` for details
# npm audit report
brace-expansion 2.0.0 - 2.0.1
brace-expansion Regular Expression Denial of Service vulnerability - https://github.com/advisories/GHSA-v6h2-p8h4-qcjw
fix available via `npm audit fix`
node_modules/npm/node_modules/brace-expansion
1 low severity vulnerability
To address all issues, run:
npm audit fix
- Edit: reported also in https://github.com/semantic-release/npm/issues/966
Since I'm using Yarn, and I'm quite sure my app wont use this global package, I fixed it temporary by removing brace-expansion directory.
I added this line in my dockerfile:
# TODO Remove the below line when a new node image is released that includes a fix for the brace-expansion vulnerability
RUN rm -rf /usr/local/lib/node_modules/npm/node_modules/brace-expansion
Can the update to [email protected] be backported to [email protected] or is that not possible?
[email protected] updated to [email protected] and fixed this issue in [email protected]
@mhassan1
Will you close this issue now?
Your steps to reproduce, that now install [email protected], no longer show any audit issue (0 vulnerabilities):
Steps
cd $(mktemp -d)
npm install npm@10
npm audit fix
npm ls
Logs
$ cd $(mktemp -d)
npm install npm@10
npm audit fix
npm ls
added 1 package in 2s
25 packages are looking for funding
run `npm fund` for details
up to date, audited 210 packages in 1s
25 packages are looking for funding
run `npm fund` for details
found 0 vulnerabilities
tmp.q9gBlDx9eM@ /tmp/tmp.q9gBlDx9eM
└── [email protected]
(The semantic-release issue I mentioned has also been fixed.)