Upgrade brace-expansion to version 1.1.7 or later. #106
Comments
dylansmith
added a commit
to dylansmith/minimatch
that referenced
this issue
Apr 26, 2017
|
Minimatch 3.0.3 already specifies: "brace-expansion": "^1.0.0" so it should pick up the new version. Do "npm uninstall brace-expansion" and reinstall. |
|
This was actually recently updated and merged in #107 (published as |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
brace-expansion is a module to support bash-like brace expansion in JavaScript. For example,{1,2,3,4} would expand to 1 2 3 4. brace expansion versions before 1.1.7 are vulnerable to Regular Expression Denial of Service attacks. A proof of concept is provided below:
var expand = require('brace-expansion');
expand('{,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
references:
juliangruber/brace-expansion#33
https://github.com/juliangruber/brace-expansion/pull/35/files
The text was updated successfully, but these errors were encountered: