[Snyk: Low] Regular Expression Denial of Service in braces

[jason-upchurch]

Summary

Low severity vulnerability found in braces
Description: Regular Expression Denial of Service (ReDoS)
Info: https://snyk.io/vuln/npm:braces:20180219
Introduced through: nswatch@0.2.0
From: nswatch@0.2.0 > chokidar@1.7.0 > anymatch@1.3.2 > micromatch@2.3.11 > braces@1.8.5
Fixed in: 2.3.1

Completion criteria:

• Determine whether there is a remediation path available for this issue.
• Identify next steps as appropriate.

[rfultz]

This is a dev dependency for us.

We're using several versions of braces but the version is question is being used by descendants of nswatch. nswatch is invoked when we run npm run watch so it's only used when we want our build process to watch our files and rebuild the project whenever we save a js, css, or hbs file. nswatch hasn't been updated in over a year and is still on version 0.2.0.

• braces@1.8.5 is the most recent v1; upgrading to 2 would require an update to micromatch.
• micromatch@2.3.11 is the most recent v2; upgrading to 3 would require an update to anymatch.
• anymatch@1.3.2 is the most recent v1; upgrading to 2 would require an update to chokidar.
• chokidar@1.7.0 is the most recent v1; upgrading to 2 would require an update to nswatch.
• nswatch@0.2.0 is the most recent—there is no update.

There's still no remediation but it's a very low vulnerability for us. I can't imagine how someone might use a DDOS against our local machines while we're watching files to change while we're working on them.

[jason-upchurch]

micromatch/anymatch#26 resolves the upstream micromatch

[jason-upchurch]

Hoping to resolve via PR egoist/nswatch#10

[lbeaufort]

Closing because this isn't a vulnerability.