fix: micromatch: vulnerable to Regular Expression Denial of Service (CVE-2024-4067)

[galanko]

Summary

Automated remediation for trivy finding: micromatch vulnerable to Regular Expression Denial of Service (CVE-2024-4067)

Changes

• Added npm override constraint to enforce micromatch >= 4.0.8 across the entire dependency tree
• Updated package-lock.json to reflect the resolved micromatch@4.0.8 version
• The vulnerable micromatch@3.1.10 was being pulled in via the transitive dependency chain: nodemon → chokidar@2.1.8 → anymatch@2.0.0 → micromatch@3.1.10

Vulnerability Details

• CVE: CVE-2024-4067
• CVSS Score: 5.3 (MEDIUM)
• Vulnerability Type: Regular Expression Denial of Service (ReDoS)
• Affected Component: micromatch < 4.0.8
• Fix Version: 4.0.8

The vulnerability occurs in micromatch.braces() due to greedy regex pattern matching (.*) that causes excessive backtracking when encountering malformed input with unmatched brackets. This can lead to application hangs or slowdowns.

Testing

• ✅ All unit tests pass
• ✅ No breaking changes detected
• ✅ Dependency tree verified: micromatch@4.0.8 now used throughout (with necessary overrides)
• ✅ npm install completed successfully with updated dependencies

Impact

• Fix safety: breaking_change (major version bump from 3.x to 4.x, but no application code changes required due to usage being indirect)
• Blast radius: Limited to micromatch dependency consumers; direct impact only if braces() function is exposed to untrusted input
• No runtime errors in dependent code after upgrade

---

Generated by OpenSec remediation agent