fix(security): bump braces to 3.0.3 — ReDoS (SDK-6068)#82
Open
AakashHotchandani wants to merge 1 commit into
Open
fix(security): bump braces to 3.0.3 — ReDoS (SDK-6068)#82AakashHotchandani wants to merge 1 commit into
AakashHotchandani wants to merge 1 commit into
Conversation
braces < 3.0.3 is vulnerable to uncontrolled resource consumption (ReDoS) via malformed brace expansion — GHSA-grv7-fg5c-xmjg (CWE-400, CVSS 6.5). It reaches this repo transitively (nightwatch -> chokidar -> braces) and is used during nightwatch test-path glob expansion. Surgical lockfile-only edit (lockfileVersion 1 preserved): - braces 3.0.2 -> 3.0.3 (requires fill-range ^7.1.1) - fill-range 7.0.1 -> 7.1.1 (braces 3.0.3's pinned dependency; to-regex-range dep unchanged) Verified: `npm ci` succeeds against the edited lockfile and resolves braces@3.0.3 / fill-range@7.1.1 — vulnerable braces@3.0.2 is gone. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Collaborator
Author
🤖 Automated review (pr-review agent)Verdict: ✅ Approve — Risk: Low · 0 critical · 0 warnings · 2 informational follow-ups. Surgical lockfileVersion-1 edit verified correct and internally consistent:
Per-file confidence: Informational follow-ups (not blockers): a deliberate v1→v3 lockfile migration on a separate PR; enable Dependabot (now added in #83) to automate future transitive bumps. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Remediates SDK-6068 —
bracesReDoS (GHSA-grv7-fg5c-xmjg, CWE-400, CVSS 6.5).braces@3.0.2(< 3.0.3) is vulnerable to uncontrolled resource consumption: a malformed brace expression triggers catastrophic backtracking that hangs the process. It's reachable transitively here (nightwatch → chokidar → braces) and is used during nightwatch test-path glob expansion. In CI, if an attacker can influence the test path (chains with thecommit_shavector), the runner can be hung — pipeline DoS.Change (lockfile-only, surgical)
The lockfile is
lockfileVersion: 1; rather than migrate the whole file to v3, this is a targeted 2-entry edit:braces3.0.2 → 3.0.3 (itsrequiresfloor moves tofill-range ^7.1.1)fill-range7.0.1 → 7.1.1 (braces 3.0.3's pinned dependency;to-regex-range ^5.0.1dep unchanged; braces is its only consumer)Patch-level bump, non-breaking, no
package.jsonchange needed.Verification
npm ciagainst the edited lockfile succeeds (proves the lockfile is internally consistent).npm ls bracesresolves braces@3.0.3 / fill-range@7.1.1 — vulnerablebraces@3.0.2is gone.package-lock.jsononly, 7 ins / 7 del.Jira: SDK-6068
🤖 Generated with Claude Code