-
-
Notifications
You must be signed in to change notification settings - Fork 168
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Backport CVE-2024-4067 fix from 4.0.6 over 4.0.7 #266
Conversation
- 4.0.6 breaks API compatibility
tests are failing |
this is because macos-latest is now macos-14 which only supports arm (M1) cpus, and only node 16+, you'll need to either use macos-13 or macos-12 for the 10, 12 and 14 node versions or use |
Yeah, the issue with the test was the mentioned
issue. I have modified the pipeline to properly run the tests on MacOs with Node version 10, 12 and 14 |
@hauserkristof might be worth updating the changelog, with entries for the incorrect/breaking 4.0.6 and the insecure 4.0.7 and the secure+compatible 4.0.8? |
99e9763
to
d9dbd9a
Compare
I have extended the changelog. |
This comment was marked as spam.
This comment was marked as spam.
It will be fixed by micromatch/micromatch#266 followed by a release, and is depended on by the estree stuff it looks like (so we don't use it in the real site).
@hauserkristof thanks for this PR. One nitpick... the code changes are not following the eslint rules, even though it looks like the code was copied from the changes in master. Specifically the quotes (should be single I have my editor configured to run eslint fix when saving, so I can quickly fix this, but I just wanted to point it out in case you wanted to do another commit before this is merged. |
Hey @doowb , But I may change these. It would be nice to know the agenda for the release before it. |
No problem. I'll make the change (only the new changes are formatting when I save). Thanks. |
The NPM package micromatch prior to version 4.0.8 is vulnerable to Regular Expression Denial of Service (ReDoS). The vulnerability occurs in micromatch.braces() in index.js because the pattern .* will greedily match anything. By passing a malicious payload, the pattern matching will keep backtracking to the input while it doesn't find the closing bracket. As the input size increases, the consumption time will also increase until it causes the application to hang or slow down. There was a merged fix but further testing shows the issue persisted prior to micromatch/micromatch#266. This issue should be mitigated by using a safe pattern that won't start backtracking the regular expression due to greedy matching.
More info at #264
This PR maintains the compability with 4.0.5 and prior versions but backports the CVE fix.
Hello, and thanks for contributing to micromatch!
tldr
There are three main goals in this document, depending on the nature of your pr:
The following sections provide more detail on each.
Improve this document
Please don't hesitate to ask questions for clarification, or to make suggestions (or a pull request) to improve this document.
Description
To help the project's maintainers and community to quickly understand the nature of your pull request, please create a description that incorporates the following elements:
Checklist
Please use the checklist that is most closely related to your pr (you only need to use one checklist, and you can skip items that aren't applicable or don't make sense):
Fixing typos
Documentation
Bug Fix
New Feature
Thanks for contributing!
Readme advice
Please review this section if you are updating readme documentation.
Readme template
This project uses verb for documentation. Verb generates the project's readme documentation from the .verb.md template in the root of this project.
Make all documentation changes in
.verb.md
, and please do not edit the readme.md directly, or your changes might accidentally get overwritten.Code comments
Please add code comments (following the same style as existing comments) to describe any code changes or new code introduced by your pull request.
Optionally build the readme
Any changes made
.verb.md
and/or code comments will be automatically incorporated into the README documentation the next timeverb
is run.We can take care of building the documentation for you when we merge in your changes, or feel free to run verb yourself. Whatever you prefer is fine with us.