Skip to content

fix: Remediate CVE-2024-4068 — override braces to 3.0.3#45

Open
devin-ai-integration[bot] wants to merge 2 commits into
mainfrom
devin/1782305981-fix-cve-2024-4068-braces
Open

fix: Remediate CVE-2024-4068 — override braces to 3.0.3#45
devin-ai-integration[bot] wants to merge 2 commits into
mainfrom
devin/1782305981-fix-cve-2024-4068-braces

Conversation

@devin-ai-integration

@devin-ai-integration devin-ai-integration Bot commented Jun 24, 2026

Copy link
Copy Markdown

Summary

Remediates CVE-2024-4068 (HIGH severity) — a Regular Expression Denial of Service (ReDoS) vulnerability in the braces package prior to version 3.0.3. The inefficient regex in braces.parse() allows attackers to cause excessive CPU consumption via crafted input.

Fix approach: Added an npm overrides field in package.json to force all transitive braces resolutions to ^3.0.3:

"overrides": {
  "braces": "^3.0.3"
}

The package-lock.json was regenerated with npm 10 (Node 20) to apply the override. All braces instances in the dependency tree are now marked as overridden per npm ls braces.

Affected dependency paths:

  • nodemonchokidarbraces (resolved to 3.0.3 ✓)
  • tapnycmicromatchbraces (override applied; note: nyc@11.9.0 bundles its deps, so the physical files in the tarball remain at 2.3.2 — this is a known npm limitation with bundled dependencies)

Context: Part of Aviva Canada Tower 3 Vulnerability Management pipeline. CVE identified by Tenable scanning, assigned to Integration Team.

Link to Devin session: https://app.devin.ai/sessions/307b23f92d13469ea43e8f2edcbc3ffd
Requested by: @iancmoritz


Devin Review

Status Commit
⚪ Not started

Run Devin Review

Open in Devin Review (Staging)

Co-Authored-By: Ian Moritz <ian.moritz@cognition.ai>
@devin-ai-integration

Copy link
Copy Markdown
Author

🤖 Devin AI Engineer

I'll be helping with this pull request! Here's what you should know:

✅ I will automatically:

  • Address comments on this PR. Add '(aside)' to your comment to have me ignore it.
  • Look at CI failures and help fix them

Note: I can only respond to comments from users who have write access to this repository.

⚙️ Control Options:

  • Disable automatic comment, CI, and merge conflict monitoring

…lockfile structure

Co-Authored-By: Ian Moritz <ian.moritz@cognition.ai>
@devin-ai-integration

Copy link
Copy Markdown
Author

CVE-2024-4068 Remediation Summary

What was changed

Added an npm overrides field in package.json to force all transitive braces resolutions to ^3.0.3:

"overrides": {
  "braces": "^3.0.3"
}

The package-lock.json was updated (using npm 10 / Node 20) to reflect the override, bumping the hoisted braces from 3.0.23.0.3 and fill-range from 7.0.17.1.1.

Why

CVE-2024-4068 (HIGH) — The braces package before 3.0.3 contains an inefficient regular expression in its parse function, making it vulnerable to Regular Expression Denial of Service (ReDoS). An attacker can craft input that causes catastrophic backtracking, consuming excessive CPU.

Affected dependency paths

Path Result
nodemonchokidarbraces ✅ Resolved to 3.0.3
tapnycmicromatchbraces Override applied (npm marks as "overridden"); physical files in nyc's bundled tarball remain at 2.3.2 — this is a known npm limitation with bundled dependencies

CI note

The failing build check is a pre-existing issuesnyk code test fails with Authentication error (SNYK-0005) due to missing SNYK_TOKEN/SNYK_ORG secrets. This is unrelated to this PR's changes.

Context

Part of Aviva Canada Tower 3 Vulnerability Management pipeline. CVE identified by Tenable scanning, assigned to Integration Team.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants