Skip to content

[Security] Bump braces from 3.0.2 to 3.0.3

Dependabot requested to merge dependabot-npm_and_yarn-braces-3.0.3 into master

Bumps braces from 3.0.2 to 3.0.3. This update includes a security fix.

Vulnerabilities fixed

Uncontrolled resource consumption in braces The NPM package braces fails to limit the number of characters it can handle, which could lead to Memory Exhaustion. In lib/parse.js, if a malicious user sends "imbalanced braces" as input, the parsing will enter a loop, which will cause the program to start allocating heap memory without freeing it at any moment of the loop. Eventually, the JavaScript heap limit is reached, and the program will crash.

Patched versions: 3.0.3 Affected versions: < 3.0.3

Commits


Dependabot commands
You can trigger Dependabot actions by commenting on this MR
  • $dependabot recreate will recreate this MR rewriting all the manual changes and resolving conflicts

Merge request reports

Loading