Skip to content

fix: braces: upgrade to 3.0.3 to mitigate CVE-2024-4068#45

Draft
galanko wants to merge 2 commits into
masterfrom
cliff/fix/braces@2.3.2-cve-2024-4068
Draft

fix: braces: upgrade to 3.0.3 to mitigate CVE-2024-4068#45
galanko wants to merge 2 commits into
masterfrom
cliff/fix/braces@2.3.2-cve-2024-4068

Conversation

@galanko
Copy link
Copy Markdown

@galanko galanko commented May 18, 2026

Summary

Automated remediation for trivy finding: braces: fails to limit the number of characters it can handle

Vulnerability Details

  • CVE: CVE-2024-4068
  • Package: braces
  • Affected Versions: < 3.0.3
  • CVSS Score: 7.5
  • Severity: HIGH

Issue Description

The NPM package braces versions prior to 3.0.3 fail to limit the number of characters they can handle, which could lead to Memory Exhaustion. If a malicious user sends imbalanced braces as input, the parsing will enter a loop causing the program to allocate heap memory without freeing it. Eventually, the JavaScript heap limit is reached, causing a Denial of Service (DoS).

Changes

  • Upgraded braces from 2.3.2 to ^3.0.3 in devDependencies
  • Added braces to package.json overrides to enforce the patched version across the entire dependency tree
  • Updated package-lock.json to reflect the new dependency versions

Testing Recommendations

Before merging:

  1. Verify no CVE-2024-4068 appears in npm audit output
  2. Run full regression test suite: npm test
  3. Verify critical features still work as expected
  4. Check compatibility with any breaking changes in braces 3.x

Fix Impact

  • Safety: Fixes CVE-2024-4068 (Memory Exhaustion DoS vulnerability)
  • Breaking Changes: Upgrading from braces 2.x to 3.x is a major semver change. Review braces release notes for any breaking API changes.
  • Mitigation: The override forces all transitive dependencies to use braces 3.0.3+

Generated by Cliff remediation agent

galanko added 2 commits May 18, 2026 18:42
@galanko
fix: braces: fails to limit the number of characters it
444a1bf
@galanko
fix: braces: upgrade to 3.0.3 to mitigate CVE-2024-4068
949af74 
Upgrade braces from 2.3.2 to ^3.0.3 in devDependencies and add to
package overrides to ensure all transitive dependencies use the patched
version. This fixes CVE-2024-4068 (Memory Exhaustion via unbounded
character parsing).

- Updates braces in devDependencies to ^3.0.3
- Adds braces to overrides to enforce the patched version across the
  dependency tree
- Updates package-lock.json to reflect the new dependency versions
@coderabbitai
Copy link
Copy Markdown

coderabbitai Bot commented May 18, 2026

Important

Review skipped

Draft detected.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro Plus

Run ID: 463a3d9c-6160-4456-99d5-c04908cba71d

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

  • 🔍 Trigger review
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch cliff/fix/braces@2.3.2-cve-2024-4068

Comment @coderabbitai help to get the list of available commands and usage tips.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@galanko