fix: Remediate CVE-2024-4068 — override braces to 3.0.3#45
fix: Remediate CVE-2024-4068 — override braces to 3.0.3#45devin-ai-integration[bot] wants to merge 2 commits into
Conversation
Co-Authored-By: Ian Moritz <ian.moritz@cognition.ai>
🤖 Devin AI EngineerI'll be helping with this pull request! Here's what you should know: ✅ I will automatically:
Note: I can only respond to comments from users who have write access to this repository. ⚙️ Control Options:
|
…lockfile structure Co-Authored-By: Ian Moritz <ian.moritz@cognition.ai>
CVE-2024-4068 Remediation SummaryWhat was changedAdded an npm "overrides": {
"braces": "^3.0.3"
}The WhyCVE-2024-4068 (HIGH) — The Affected dependency paths
CI noteThe failing ContextPart of Aviva Canada Tower 3 Vulnerability Management pipeline. CVE identified by Tenable scanning, assigned to Integration Team. |
Summary
Remediates CVE-2024-4068 (HIGH severity) — a Regular Expression Denial of Service (ReDoS) vulnerability in the
bracespackage prior to version 3.0.3. The inefficient regex inbraces.parse()allows attackers to cause excessive CPU consumption via crafted input.Fix approach: Added an npm
overridesfield inpackage.jsonto force all transitivebracesresolutions to^3.0.3:The
package-lock.jsonwas regenerated with npm 10 (Node 20) to apply the override. Allbracesinstances in the dependency tree are now marked as overridden pernpm ls braces.Affected dependency paths:
nodemon→chokidar→braces(resolved to 3.0.3 ✓)tap→nyc→micromatch→braces(override applied; note:nyc@11.9.0bundles its deps, so the physical files in the tarball remain at 2.3.2 — this is a known npm limitation with bundled dependencies)Context: Part of Aviva Canada Tower 3 Vulnerability Management pipeline. CVE identified by Tenable scanning, assigned to Integration Team.
Link to Devin session: https://app.devin.ai/sessions/307b23f92d13469ea43e8f2edcbc3ffd
Requested by: @iancmoritz
Devin Review