Skip to content
Permalink
Browse files

optimize regex

  • Loading branch information...
jonschlinkert committed Feb 16, 2018
1 parent 3793414 commit abdafb0cae1e0c00f184abbadc692f4eaa98f451
Showing with 1 addition and 1 deletion.
  1. +1 −1 lib/parsers.js
@@ -127,7 +127,7 @@ module.exports = function(braces, options) {
.set('multiplier', function() {
var isInside = this.isInside('brace');
var pos = this.position();
var m = this.match(/^\{(,+(?:(\{,+\})*),*|,*(?:(\{,+\})*),+)\}/);
var m = this.match(/^\{((?:,|\{,+\})+)\}/);
if (!m) return;

this.multiplier = true;

5 comments on commit abdafb0

@sathish-spidie

This comment has been minimized.

Copy link

replied Apr 18, 2019

can you explain, how to achieve this? I'm a low-level developer and didn't understand why this code stands for and what to do with it! sorry if I waste your time by making you read this comment, in case you find this comment useless.

my error is

` Low Regular Expression Denial of Service

Package braces

Patched in >=2.3.1

Dependency of browser-sync [dev]

Path browser-sync > micromatch > braces

More info https://npmjs.com/advisories/786 `

@kousu

This comment has been minimized.

Copy link

replied Apr 18, 2019

@sathish-spidie , you can find out the solution on the link there: https://npmjs.com/advisories/786:

Remediation

Upgrade to version 2.3.1 or higher.

What this means is that in your package.json you should make sure the line for "braces" under "dependencies" says

"braces": "^2.3.1",

and then delete your cached npm packages by

rm -r node_modules/ package-lock.json

and then

npm install

If you don't directly depend on "braces", which is the situation I am in, you can use

npm list

to figure out which of your packages is depending on "braces", and then go make sure to update each of those packages in the same way: version bump them, make sure to prefix the versions of everything with "^", and then delete your packages and regenerate package-lock.json by redoing npm install; that will get the latest, hopefully bugfixed, versions of all your packages; but if any of your packages have not yet updated to use "braces": "^2.3.1" then you will have to go to their github projects and file an issue.


A comment on a commit inside the braces project isn't really a proper general support forum for npm. For that, and for future questions, you will probably have good luck asking at https://npm.community/c/support. I hope the above helps and lets you extend your developer skills.

@jonschlinkert

This comment has been minimized.

Copy link
Member Author

replied Apr 18, 2019

@kousu that was a fantastic description, and a really good summary of the steps that need to be taken. Thank you!

you will probably have good luck asking at https://npm.community/c/support. I hope the above helps and lets you extend your developer skills.

Only one thing I'd like to point out. Generally, https://npm.community/c/support is for NPM support, not for packages like this one. Meaning, if you need something directly related to the package manager itself, that's the place to go. But ideally, when a user has an issue or support question like this, the best place to get answers is to:

  1. read through previous issues first - @sathish-spidie would have seen that this question has been answered a couple of dozen times already on this project and other projects that depend on this one
  2. StackOverflow - people get reputation points for helping others
  3. if it seems like no one has addressed the issue already, and you have genuinely stumbled across a previously undiscovered bug, then create a new issue on the GitHub repository of the code project.
@KevinGrant12

This comment has been minimized.

Copy link

replied May 8, 2019

Hello, I have the same exact issue that stems from babel.
I was unable to run this line rm -r node_modules/ package-lock.json and it makes sense because the packag-lock is not inside the node_modules directory.
When I run npm list I can see that instances of 'braces' are at 2.3.2.

Any thoughts on how to fix?
Thanks!

@biggianteye

This comment has been minimized.

Copy link

replied Jun 7, 2019

I was unable to run this line rm -r node_modules/ package-lock.json and it makes sense because the packag-lock is not inside the node_modules directory.

There is a space between node_modules and package-lock.json. The lock file is not inside the node_modules folder. It's at the same level.

Please sign in to comment.
You can’t perform that action at this time.