chore(deps): bump micromatch from 4.0.5 to 4.0.8#442
Conversation
Bumps [micromatch](https://github.com/micromatch/micromatch) from 4.0.5 to 4.0.8. - [Release notes](https://github.com/micromatch/micromatch/releases) - [Changelog](https://github.com/micromatch/micromatch/blob/master/CHANGELOG.md) - [Commits](micromatch/micromatch@4.0.5...4.0.8) --- updated-dependencies: - dependency-name: micromatch dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com>
dependabot
Bot
added
the
dependencies
|
@coderabbitai can you take a look? llm local reviewHere is my review of the PR Review:
|
| Package | Before | After |
|---|---|---|
micromatch |
4.0.5 |
4.0.8 |
braces |
^3.0.2 |
^3.0.3 |
Both are indirect dependencies — pulled in transitively by jest and fast-glob, which are themselves devDependencies. Neither reaches production bundles.
Security Context
- CVE-2024-4067 (micromatch): ReDoS (Regular Expression Denial of Service) via crafted glob patterns. Fixed in 4.0.8.
- CVE-2024-4068 (braces, micromatch's dep): Similar ReDoS issue. Fixed in
braces@3.0.3, which is now locked in.
Both CVEs are rated low-priority by the maintainers themselves, but patching is still correct practice.
CI Status
All checks pass: build, lint, test.
Issues / Notes
-
Age: This PR has been open since August 28, 2024 — over 19 months. Automatic rebases were disabled by Dependabot for this reason. The merge commit (
dc6a8e9) bringing inmainwas added today, which resolved any conflicts. -
No
package.jsonchange:micromatchis a transitive dep so nopackage.jsonentry is expected —yarn.lock-only is correct. -
Mergeable: No conflicts. CI passes. Only missing a required review approval.
Verdict
Approve and merge. The change is correct, minimal-risk, addresses real (if low-severity) CVEs in dev tooling, and CI is green. The only reason it hasn't been merged is age/stale status, not any technical concern.
|
Tip For best results, initiate chat on the files or code changes.
Review:
|
| Package | Before | After |
|---|---|---|
micromatch |
4.0.5 |
4.0.8 |
braces (micromatch dep) |
^3.0.2 |
^3.0.3 |
Both are dev-only indirect dependencies — pulled in transitively by jest and fast-glob, and never shipped in production bundles.
CVE Breakdown
CVE-2024-4067 (micromatch, CVSS 5.3 — Medium):
The micromatch package prior to 4.0.8 is vulnerable to ReDoS. The vulnerability occurs in micromatch.braces() in index.js because the pattern .* will greedily match anything. By passing a malicious payload, pattern matching keeps backtracking while it doesn't find the closing bracket, causing consumption time to increase until the application hangs or slows down. This issue was fixed in version 4.0.8.
CVE-2024-4068 (braces, CVSS 7.5 — High):
The braces NPM package fails to limit the number of characters it can handle, which could lead to Memory Exhaustion. In lib/parse.js, if a malicious user sends "imbalanced braces" as input, the parsing will enter a loop, causing the program to start allocating heap memory without freeing it at any moment of the loop. Eventually, the JavaScript heap limit is reached, and the program will crash. The security patch modified lib/constants.js to reduce MAX_LENGTH from 65,536 to 10,000 characters.
Worth noting: CVE-2024-4068 on braces carries a CVSS 7.5, which is higher than the local review's "low-priority" characterization (that language comes from the micromatch maintainers themselves, and applies more to CVE-2024-4067). Because braces is embedded in many higher-level libraries and build tools, a flaw in its parser has outsized operational impact — many applications include it transitively through other packages.
Risk Assessment for This Repo
That said, the actual risk to finch-api-node here is minimal:
micromatchandbracesare only reachable throughjest/fast-globas devDependencies- There is no user-controlled input passed through these packages in the build/test pipeline
- The vulnerability would only be exploitable if someone could feed crafted glob patterns into CI tooling, which is not a realistic threat surface
CI & Merge Status
All checks pass (build, lint, test). The PR is conflict-free and only blocked on a required review approval.
Verdict
✅ Approve and merge. The change is correct, minimal-risk, properly addresses both CVEs in dev tooling, and CI is green. The only reason it's sat open is age/stale status.
[approve]
|
Tip For best results, initiate chat on the files or code changes.
Review:
|
| Package | Before | After |
|---|---|---|
micromatch |
4.0.5 |
4.0.8 |
braces (micromatch dep) |
^3.0.2 |
^3.0.3 |
Both are dev-only indirect dependencies (pulled in by jest and fast-glob) and never reach production bundles.
CVE Breakdown
CVE-2024-4067 (micromatch — CVSS 5.3, Medium):
micromatch prior to 4.0.8 is vulnerable to ReDoS. The vulnerability occurs in micromatch.braces() in index.js because the pattern .* will greedily match anything — by passing a malicious payload, pattern matching keeps backtracking while it doesn't find the closing bracket, causing consumption time to increase until the application hangs.
One important nuance: versions 4.0.6 and 4.0.7 attempted to fix this issue but the vulnerability persisted — version 4.0.8 was released as the ultimate fix for both CVE-2024-4067 and CVE-2024-4068. That makes 4.0.8 the only fully safe version.
The maintainers have noted that while automated scanners may flag this as high severity, they consider the issues low-priority.
CVE-2024-4068 (braces — CVSS 7.5, High):
braces prior to 3.0.3 fails to limit the number of characters it can handle, which could lead to Memory Exhaustion. In lib/parse.js, if a malicious user sends "imbalanced braces" as input, the parsing will enter a loop causing the program to start allocating heap memory without freeing it — eventually, the JavaScript heap limit is reached and the program will crash.
The "low-priority" language in the local review applies more to CVE-2024-4067. CVE-2024-4068 on braces is formally rated High at CVSS 7.5. Because braces is embedded in many higher-level libraries and build tools, a flaw in its parser has outsized operational impact — many applications include it transitively through other packages.
Risk to This Repo
That said, the practical risk here is minimal: both packages are only reachable through jest/fast-glob as devDependencies. There is no user-controlled input passed through these packages in the build/test pipeline, so exploitation is not a realistic threat in this context.
Verdict
✅ Approve and merge. The change is correct, minimal-risk, and properly addresses both CVEs. CI is green and the only reason it's sat open is age/stale status.
[approve]
1 participant
Bumps micromatch from 4.0.5 to 4.0.8.
Release notes
Sourced from micromatch's releases.
Changelog
Sourced from micromatch's changelog.
Commits
8bd704e4.0.8a0e6841run verb to generate README documentation4ec2884Merge branch 'v4' into hauserkristof-feature/v4.0.803aa805Merge pull request #266 from hauserkristof/feature/v4.0.8814f5f7lint67fcce6fix: CHANGELOG about braces & CVE-2024-4068, v4.0.5113f2e3fix: CVE numbers in CHANGELOGd9dbd9afeat: updated CHANGELOG2ab1315fix: use actions/setup-node@v41406ea3feat: rework test to work on macos with node 10,12 and 14You can trigger a rebase of this PR by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot mergewill merge this PR after your CI passes on it@dependabot squash and mergewill squash and merge this PR after your CI passes on it@dependabot cancel mergewill cancel a previously requested merge and block automerging@dependabot reopenwill reopen this PR if it is closed@dependabot closewill close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)You can disable automated security fix PRs for this repo from the Security Alerts page.