From 46b30fd3f4c737ccf948b783b282e9b30a539f93 Mon Sep 17 00:00:00 2001 From: GarrettEHill Date: Fri, 2 Aug 2024 17:25:01 -0700 Subject: [PATCH 001/138] first pass --- .circleci/config.yml | 198 +++++-- automation/db-backup/scripts/db_restore.sh | 609 +++++++++++++++++++++ automation/manifest-process.yml | 0 automation/manifest-restore.yml | 18 + 4 files changed, 792 insertions(+), 33 deletions(-) create mode 100644 automation/db-backup/scripts/db_restore.sh create mode 100644 automation/manifest-process.yml create mode 100644 automation/manifest-restore.yml diff --git a/.circleci/config.yml b/.circleci/config.yml index b987a01dd1..a9a0529cc9 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -167,7 +167,6 @@ commands: else echo "Slack notification sent successfully" fi - notify_slack_deploy: parameters: slack_bot_token: @@ -229,8 +228,6 @@ commands: slack_bot_token: << parameters.slack_bot_token >> slack_channel: << parameters.slack_channel >> message_text_file: "/tmp/message_file" - - cf_deploy: description: "Login to cloud foundry space with service account credentials and push application using deployment configuration file." @@ -369,33 +366,38 @@ commands: # name: Push maintenance application # command: | # cd maintenance_page && cf push -s cflinuxfs4 --vars-file ../<> - cf_backup: - description: "Login to cloud foundry space with service account credentials, Connect to DB & S3, backup DB to S3" + cf_automation_task: + description: "Login to Cloud Foundry space, run automation task, and send notification" parameters: auth_client_secret: - description: "Name of CircleCi project environment variable that - holds authentication client secret, a required application variable" + description: "Name of CircleCi project environment variable that holds authentication client secret" type: env_var_name cloudgov_username: - description: "Name of CircleCi project environment variable that - holds deployer username for cloudgov space" + description: "Name of CircleCi project environment variable that holds deployer username for Cloud Foundry space" type: env_var_name cloudgov_password: - description: "Name of CircleCi project environment variable that - holds deployer password for cloudgov space" + description: "Name of CircleCi project environment variable that holds deployer password for Cloud Foundry space" type: env_var_name cloudgov_space: - description: "Name of CircleCi project environment variable that - holds name of cloudgov space to target for application deployment" + description: "Name of CircleCi project environment variable that holds name of Cloud Foundry space to target for application deployment" type: env_var_name - rds_service_name: - description: "Name of the rds service to backup" + task_name: + description: "Name of the automation task to run" + type: string + task_command: + description: "Command to run for the automation task" + type: string + task_args: + description: "Arguments for the automation task" type: string - s3_service_name: - description: "Name of the s3 service access" + manifest: + description: "Manifest file for the automation task" type: string - backup_prefix: - description: "prefix name to use for backups" + success_message: + description: "Success message for Slack notification" + type: string + fail_message: + description: "Fail message for Slack notification" type: string steps: - run: @@ -449,7 +451,7 @@ commands: #!/bin/bash CONTROL_FILE="/tmp/stop_tail" rm -f $CONTROL_FILE - + # Start tailing logs cf logs tta-automation & @@ -466,15 +468,15 @@ commands: echo "cf logs command for tta-automation has been terminated." background: true - run: - name: cf_lambda - script to trigger backup + name: cf_lambda - script to trigger task command: | set -x json_data=$(jq -n \ --arg automation_dir "./automation" \ - --arg manifest "manifest.yml" \ - --arg task_name "backup" \ - --arg command "cd /home/vcap/app/db-backup/scripts; bash ./db_backup.sh" \ - --argjson args '["<< parameters.backup_prefix >>", "<< parameters.rds_service_name >>", "<< parameters.s3_service_name >>"]' \ + --arg manifest "<< parameters.manifest >>" \ + --arg task_name "<< parameters.task_name >>" \ + --arg command "<< parameters.task_command >>" \ + --argjson args '<< parameters.task_args >>' \ '{ automation_dir: $automation_dir, manifest: $manifest, @@ -487,17 +489,14 @@ commands: find ./automation -name "*.sh" -exec chmod +x {} \; ./automation/ci/scripts/cf_lambda.sh "$json_data" - environment: - CF_RDS_SERVICE_NAME: ttahub-prod - CF_S3_SERVICE_NAME: ttahub-db-backups - run: name: Generate Message command: | if [ ! -z "$CIRCLE_PULL_REQUEST" ]; then PR_NUMBER=${CIRCLE_PULL_REQUEST##*/} - echo ":download::database: Production backup before PR <$CIRCLE_PULL_REQUEST|$PR_NUMBER> successful!" > /tmp/message_file + echo "<< parameters.success_message >> before PR <$CIRCLE_PULL_REQUEST|$PR_NUMBER> successful!" > /tmp/message_file else - echo ":download::database: Production backup successful!" > /tmp/message_file + echo "<< parameters.success_message >> successful!" > /tmp/message_file fi - notify_slack: slack_bot_token: $SLACK_BOT_TOKEN @@ -509,13 +508,82 @@ commands: # Signal the log monitoring to stop CONTROL_FILE="/tmp/stop_tail" touch $CONTROL_FILE - + # Wait for the log monitoring process to terminate sleep 5 # Logout from Cloud Foundry cf logout - + cf_backup: + description: "Backup database to S3" + parameters: + auth_client_secret: { type: env_var_name } + cloudgov_username: { type: env_var_name } + cloudgov_password: { type: env_var_name } + cloudgov_space: { type: env_var_name } + rds_service_name: { type: string } + s3_service_name: { type: string } + backup_prefix: { type: string } + steps: + - cf_automation_task: + auth_client_secret: << parameters.auth_client_secret >> + cloudgov_username: << parameters.cloudgov_username >> + cloudgov_password: << parameters.cloudgov_password >> + cloudgov_space: << parameters.cloudgov_space >> + task_name: "backup" + task_command: "cd /home/vcap/app/db-backup/scripts; bash ./db_backup.sh" + task_args: '["<< parameters.backup_prefix >>", "<< parameters.rds_service_name >>", "<< parameters.s3_service_name >>"]' + manifest: "manifest.yml" + success_message: ':download::database: "<< parameters.backup_prefix >>" backup' + cf_restore: + description: "Restore backup database from S3" + parameters: + auth_client_secret: { type: env_var_name } + cloudgov_username: { type: env_var_name } + cloudgov_password: { type: env_var_name } + cloudgov_space: { type: env_var_name } + rds_service_name: { type: string } + s3_service_name: { type: string } + backup_prefix: { type: string } + steps: + - run: + name: Validate Parameters + command: | + if [ "<< parameters.rds_service_name >>" = "ttahub-prod" ]; then + echo "Error: rds_service_name cannot be 'ttahub-prod'" + exit 1 + fi + - cf_automation_task: + auth_client_secret: << parameters.auth_client_secret >> + cloudgov_username: << parameters.cloudgov_username >> + cloudgov_password: << parameters.cloudgov_password >> + cloudgov_space: << parameters.cloudgov_space >> + task_name: "restore" + task_command: "cd /home/vcap/app/db-backup/scripts; bash ./db_restore.sh" + task_args: '["<< parameters.backup_prefix >>", "<< parameters.rds_service_name >>", "<< parameters.s3_service_name >>"]' + manifest: "manifest-restore.yml" + success_message: ':database: "<< parameters.backup_prefix >>" Restored to "<< parameters.rds_service_name >>"' + cf_process: + description: "process database from S3" + parameters: + auth_client_secret: { type: env_var_name } + cloudgov_username: { type: env_var_name } + cloudgov_password: { type: env_var_name } + cloudgov_space: { type: env_var_name } + rds_service_name: { type: string } + s3_service_name: { type: string } + backup_prefix: { type: string } + steps: + - cf_automation_task: + auth_client_secret: << parameters.auth_client_secret >> + cloudgov_username: << parameters.cloudgov_username >> + cloudgov_password: << parameters.cloudgov_password >> + cloudgov_space: << parameters.cloudgov_space >> + task_name: "process" + task_command: "cd /home/vcap/app/db-restore/scripts; bash ./db_restore.sh" + task_args: '["<< parameters.backup_prefix >>", "<< parameters.rds_service_name >>", "<< parameters.s3_service_name >>"]' + manifest: "manifest-process.yml" + success_message: ':database: "<< parameters.backup_prefix >>" Restored' parameters: cg_org: description: "Cloud Foundry cloud.gov organization name" @@ -571,6 +639,9 @@ parameters: manual-trigger: type: boolean default: false + manual-process: + type: boolean + default: false jobs: build_and_lint: executor: docker-executor @@ -1190,10 +1261,64 @@ jobs: rds_service_name: ttahub-prod s3_service_name: ttahub-db-backups backup_prefix: production + restore_production_for_processing: + docker: + - image: cimg/base:2024.05 + steps: + - sparse_checkout: + directories: 'automation' + branch: << pipeline.git.branch >> + - cf_restore: + auth_client_secret: PROD_AUTH_CLIENT_SECRET + cloudgov_username: CLOUDGOV_PROD_USERNAME + cloudgov_password: CLOUDGOV_PROD_PASSWORD + cloudgov_space: CLOUDGOV_PROD_SPACE + rds_service_name: ttahub-process + s3_service_name: ttahub-db-backups + backup_prefix: production + process_production: + executor: docker-executor + steps: + - checkout + - create_combined_yarnlock + - restore_cache: + keys: + # To manually bust the cache, increment the version e.g. v7-yarn... + - v14-yarn-deps-{{ checksum "combined-yarnlock.txt" }} + # If checksum is new, restore partial cache + - v14-yarn-deps- + - run: yarn deps + - run: + name: Build backend assets + command: yarn build + - cf_process: + auth_client_secret: PROD_AUTH_CLIENT_SECRET + cloudgov_username: CLOUDGOV_PROD_USERNAME + cloudgov_password: CLOUDGOV_PROD_PASSWORD + cloudgov_space: CLOUDGOV_PROD_SPACE + rds_service_name: ttahub-process + s3_service_name: ttahub-db-backups + process_backup: + docker: + - image: cimg/base:2024.05 + steps: + - sparse_checkout: + directories: 'automation' + branch: << pipeline.git.branch >> + - cf_backup: + auth_client_secret: PROD_AUTH_CLIENT_SECRET + cloudgov_username: CLOUDGOV_PROD_USERNAME + cloudgov_password: CLOUDGOV_PROD_PASSWORD + cloudgov_space: CLOUDGOV_PROD_SPACE + rds_service_name: ttahub-process + s3_service_name: ttahub-db-backups + backup_prefix: processed workflows: build_test_deploy: when: - equal: [false, << pipeline.parameters.manual-trigger >>] + and: + - equal: [false, << pipeline.parameters.manual-trigger >>] + - equal: [false, << pipeline.parameters.manual-process >>] jobs: - build_and_lint - build_and_lint_similarity_api @@ -1301,3 +1426,10 @@ workflows: equal: [true, << pipeline.parameters.manual-trigger >>] jobs: - backup_upload_production + manual_process_production: + when: + equal: [true, << pipeline.parameters.manual-process >>] + jobs: + - restore_production_for_processing + - process_production + - process_backup diff --git a/automation/db-backup/scripts/db_restore.sh b/automation/db-backup/scripts/db_restore.sh new file mode 100644 index 0000000000..901affe3a2 --- /dev/null +++ b/automation/db-backup/scripts/db_restore.sh @@ -0,0 +1,609 @@ +#!/bin/bash +set -e +set -u +set -o pipefail +set -o noglob +set -o noclobber + +# ----------------------------------------------------------------------------- +# Generic helper functions +# ----------------------------------------------------------------------------- +# Enhanced logging function with timestamp and output stream handling +function log() { + local type="$1" + local message="$2" + local timestamp + timestamp=$(date '+%Y-%m-%d %H:%M:%S') + echo "[$timestamp] $type: $message" >&2 +} + +# Parameter Validation +function parameters_validate() { + local param="$1" + if [[ -z "${param}" ]]; then + log "ERROR" "Parameter is unset or empty." + set -e + exit 1 + fi +} + +# Export Validation +function export_validate() { + local param="$1" + + # Check if the parameter is set + if ! declare -p "$param" &>/dev/null; then + log "ERROR" "Parameter '$param' is unset." + set -e + exit 1 + fi + + # Check if the parameter is exported + if [[ "$(declare -p "$param")" != *" -x "* ]]; then + log "ERROR" "Parameter '$param' is not exported." + set -e + exit 1 + fi +} + +# Check for required dependencies +function check_dependencies() { + local dependencies=("$@") + for dep in "${dependencies[@]}"; do + if ! type "${dep}" > /dev/null 2>&1; then + log "ERROR" "Dependency ${dep} is not installed." + set -e + exit 1 + fi + done +} + +# Add a directory to PATH if it is not already included +function add_to_path() { + local new_dir="$1" + + if [[ ":$PATH:" != *":$new_dir:"* ]]; then + export PATH="$new_dir:$PATH" + log "INFO" "Added $new_dir to PATH." + else + log "INFO" "$new_dir is already in PATH." + fi +} + +# monitor memory usage +function monitor_memory() { + local pid=$1 + local interval=${2-0.5} + local max_mem_mb=0 + local max_system_mem_mb=0 + local mem_kb + local mem_mb + local system_mem_bytes + local system_mem_mb + local start_time + start_time=$(date +%s) # Record start time in seconds + + # Path to the container's memory cgroup + local MEM_CGROUP_PATH="/sys/fs/cgroup/memory" + + # Trap to handle script exits and interruptions + local exit_code duration end_time + trap 'exit_code=$?; \ + end_time=$(date +%s); \ + duration=$((end_time - start_time)); \ + log "STAT" "Exit code: $exit_code"; \ + log "STAT" "Maximum memory used by the process: $max_mem_mb MB"; \ + log "STAT" "Maximum container memory used: $max_system_mem_mb MB"; \ + log "STAT" "Duration of the run: $duration seconds from $start_time to $end_time"; \ + exit $exit_code' EXIT SIGINT SIGTERM + + # Monitor memory usage + log "INFO" "Monitoring started at: $start_time"; + while true; do + if [ ! -e "/proc/$pid" ]; then + break + fi + # Process-specific memory in kilobytes, then convert to megabytes + mem_kb=$(awk '/VmRSS/{print $2}' "/proc/$pid/status" 2>/dev/null) + mem_mb=$((mem_kb / 1024)) + if [[ "$mem_mb" -gt "$max_mem_mb" ]]; then + max_mem_mb=$mem_mb + fi + + # Container-specific memory (used memory) in bytes, then convert to megabytes + system_mem_bytes=$(cat $MEM_CGROUP_PATH/memory.usage_in_bytes) + system_mem_mb=$((system_mem_bytes / 1024 / 1024)) + if [[ "$system_mem_mb" -gt "$max_system_mem_mb" ]]; then + max_system_mem_mb=$system_mem_mb + fi + + sleep "$interval" + done +} +# ----------------------------------------------------------------------------- + +# ----------------------------------------------------------------------------- +# JSON helper functions +# ----------------------------------------------------------------------------- +# Validate JSON +function validate_json() { + local json_data="$1" + log "INFO" "Validating JSON..." + if ! echo "${json_data}" | jq empty 2>/dev/null; then + log "ERROR" "Invalid JSON format." + set -e + exit 6 + fi +} + +# Append to a JSON array +function append_to_json_array() { + local existing_json="$1" + local new_json="$2" + + validate_json "$existing_json" + validate_json "$new_json" + + # Use jq to append the new JSON object to the existing array + updated_json=$(jq --argjson obj "$new_json" '. += [$obj]' <<< "$existing_json") + + # Check if the update was successful + if ! updated_json=$(jq --argjson obj "$new_json" '. += [$obj]' <<< "$existing_json"); then + log "ERROR" "Failed to append JSON object." + set -e + return 1 + fi + + validate_json "$updated_json" + + echo "$updated_json" +} + +# Find object in array by key & value +function find_json_object() { + local json_data="$1" + local key="$2" + local value="$3" + + validate_json "$json_data" + + # Search for the object in the JSON array + local found_object + found_object=$(jq -c --arg key "$key" --arg value "$value" '.[] | select(.[$key] == $value)' <<< "$json_data") + + # Check if an object was found + if [ -z "$found_object" ]; then + log "INFO" "No object found with $key = $value." + set -e + return 1 + else + log "INFO" "Object found" + fi + + echo "$found_object" +} + +# Function to process JSON with a jq query and handle jq errors +process_json() { + local json_string="$1" + local jq_query="$2" + local jq_flag="${3-}" + + # Use jq to process the JSON string with the provided jq query + # Capture stderr in a variable to handle jq errors + local result + result=$(echo "$json_string" | jq $jq_flag "$jq_query" 2>&1) + local jq_exit_status=$? + + # Check jq execution status + if [ $jq_exit_status -ne 0 ]; then + log "ERROR" "jq execution failed: $result" + set -e + return $jq_exit_status # Return with an error status + fi + + # Check if the result is empty or null (jq returns 'null' if no data matches the query) + if [[ -z $result || $result == "null" ]]; then + log "ERROR" "No value found for the provided jq query." + set -e + return 1 # Return with an error status + else + echo "$result" + set -e + return 0 + fi +} +# ----------------------------------------------------------------------------- + +# ----------------------------------------------------------------------------- +# File & Script helper functions +# ----------------------------------------------------------------------------- +# run an script and return its output if successful +run_script() { + local script_name="$1" + local script_dir="$2" + shift 2 # Shift the first two arguments out, leaving any additional arguments + + parameters_validate "${script_name}" + + log "INFO" "Resolve the full path of the script" + local script_path + if [[ -d "$script_dir" ]]; then + script_path="$(cd "$script_dir" && pwd)/$script_name" + else + log "ERROR" "The specified directory $script_dir does not exist." + set -e + return 1 # Return with an error status + fi + + log "INFO" "Check if the script exists" + if [ ! -f "$script_path" ]; then + log "ERROR" "The script $script_name does not exist at $script_path." + set -e + return 1 # Return with an error status + fi + + log "INFO" "Check if the script is executable" + if [ ! -x "$script_path" ]; then + log "ERROR" "The script $script_name is not executable." + set -e + return 1 # Return with an error status + fi + + log "INFO" "Execute the script with any passed arguments and capture its output" + script_output=$("$script_path" "$@") + local script_exit_status=$? + + log "INFO" "Check the exit status of the script" + if [ $script_exit_status -ne 0 ]; then + log "ERROR" "Script execution failed with exit status $script_exit_status. Output: $script_output" + set -e + return $script_exit_status + else + echo "$script_output" + set -e + return 0 + fi +} + +# ----------------------------------------------------------------------------- + +# ----------------------------------------------------------------------------- +# Postgres helper functions +# ----------------------------------------------------------------------------- +function rds_validate() { + export_validate "PGHOST" + export_validate "PGPORT" + export_validate "PGUSER" + export_validate "PGPASSWORD" + export_validate "PGDATABASE" +} + +function rds_prep() { + local json_blob=$1 + local db_server=$2 + + log "INFO" "Preparing RDS configurations." + parameters_validate "${json_blob}" + parameters_validate "${db_server}" + + log "INFO" "Extracting RDS data from provided JSON." + local rds_data + rds_data=$(process_json "${json_blob}" '."aws-rds"') + parameters_validate "${rds_data}" + local server_data + server_data=$(find_json_object "${rds_data}" "name" "${db_server}") + parameters_validate "${server_data}" + local db_host + db_host=$(process_json "${server_data}" ".credentials.host" "-r") + parameters_validate "${db_host}" + local db_port + db_port=$(process_json "${server_data}" ".credentials.port" "-r") + parameters_validate "${db_port}" + local db_username + db_username=$(process_json "${server_data}" ".credentials.username" "-r") + parameters_validate "${db_username}" + local db_password + db_password=$(process_json "${server_data}" ".credentials.password" "-r") + parameters_validate "${db_password}" + local db_name + db_name=$(process_json "${server_data}" ".credentials.name" "-r") + parameters_validate "${db_name}" + + log "INFO" "Configuring PostgreSQL client environment." + export PGHOST="${db_host}" + export PGPORT="${db_port}" + export PGUSER="${db_username}" + export PGPASSWORD="${db_password}" + export PGDATABASE="${db_name}" + + rds_validate +} + +function rds_clear() { + unset PGHOST + unset PGPORT + unset PGUSER + unset PGPASSWORD + unset PGDATABASE +} + +function rds_test_connectivity() { + rds_validate + + log "INFO" "Testing RDS connectivity using pg_isready..." + + if pg_isready > /dev/null 2>&1; then + log "INFO" "RDS database is ready and accepting connections." + else + log "ERROR" "Failed to connect to RDS database. Check server status, credentials, and network settings." + set -e + return 1 + fi +} + +# ----------------------------------------------------------------------------- + +# ----------------------------------------------------------------------------- +# AWS S3 helper functions +# ----------------------------------------------------------------------------- +function aws_s3_validate() { + export_validate "AWS_ACCESS_KEY_ID" + export_validate "AWS_SECRET_ACCESS_KEY" + export_validate "AWS_DEFAULT_BUCKET" + export_validate "AWS_DEFAULT_REGION" +} + +function aws_s3_prep() { + local json_blob=$1 + local s3_server=$2 + + log "INFO" "Preparing AWS S3 configurations using input parameters." + parameters_validate "${json_blob}" + parameters_validate "${s3_server}" + + log "INFO" "Processing JSON data for S3 configuration." + local s3_data + s3_data=$(process_json "${json_blob}" '."s3"') + parameters_validate "${s3_data}" + local server_data + server_data=$(find_json_object "${s3_data}" "name" "${s3_server}") + parameters_validate "${server_data}" + local s3_access_key_id + s3_access_key_id=$(process_json "${server_data}" ".credentials.access_key_id" "-r") + parameters_validate "${s3_access_key_id}" + local s3_secret_access_key + s3_secret_access_key=$(process_json "${server_data}" ".credentials.secret_access_key" "-r") + parameters_validate "${s3_secret_access_key}" + local s3_bucket + s3_bucket=$(process_json "${server_data}" ".credentials.bucket" "-r") + parameters_validate "${s3_bucket}" + local s3_region + s3_region=$(process_json "${server_data}" ".credentials.region" "-r") + parameters_validate "${s3_region}" + + log "INFO" "Setting AWS CLI environment variables." + export AWS_ACCESS_KEY_ID="${s3_access_key_id}" + export AWS_SECRET_ACCESS_KEY="${s3_secret_access_key}" + export AWS_DEFAULT_BUCKET="${s3_bucket}" + export AWS_DEFAULT_REGION="${s3_region}" + + aws_s3_validate +} + +function aws_s3_clear() { + unset AWS_ACCESS_KEY_ID + unset AWS_SECRET_ACCESS_KEY + unset AWS_DEFAULT_BUCKET + unset AWS_DEFAULT_REGION +} + +function s3_test_connectivity() { + aws_s3_validate + + log "INFO" "Testing AWS S3 connectivity..." + + if aws s3 ls "s3://$AWS_DEFAULT_BUCKET" > /dev/null 2>&1; then + log "INFO" "Successfully connected to AWS S3." + else + log "ERROR" "Failed to connect to AWS S3. Check credentials and network settings." + set -e + return 1 + fi +} + +# Download the latest backup file list +function aws_s3_get_latest_backup() { + local backup_filename_prefix=$1 + local latest_backup_filename="${backup_filename_prefix}-latest-backup.txt" + + log "INFO" "Downloading latest backup file list from S3..." + if aws s3 cp "s3://${AWS_DEFAULT_BUCKET}/${backup_filename_prefix}/${latest_backup_filename}" - > latest_backup.txt; then + log "INFO" "Successfully downloaded latest backup file list." + else + log "ERROR" "Failed to download latest backup file list." + set -e + return 1 + fi +} + +# Function to download the backup password from S3 +function aws_s3_download_password() { + local password_file_path=$1 + + log "INFO" "Downloading backup password from S3..." + local password + password=$(aws s3 cp "s3://${password_file_path}" -) + parameters_validate "${password}" + + echo "${password}" +} + +# Verify the integrity of the file downloaded from S3 +function aws_s3_verify_file_integrity() { + local zip_file_path="$1" + local md5_file_path="$2" + local sha256_file_path="$3" + + log "INFO" "Stream the expected hashes directly from S3" + local expected_md5 expected_sha256 + expected_md5=$(aws s3 cp "s3://${md5_file_path}" -) + expected_sha256=$(aws s3 cp "s3://${sha256_file_path}" -) + + log "INFO" "Prepare the command to stream the S3 file and calculate hashes" + set +e + log "INFO" "Execute the command and capture its exit status" + aws s3 cp "s3://${zip_file_path}" - |\ + tee \ + >(sha256sum |\ + awk '{print $1}' > /tmp/computed_sha256 &\ + echo $? > /tmp/sha256_status \ + ) \ + >(md5sum |\ + awk '{print $1}' > /tmp/computed_md5 &\ + echo $? > /tmp/md5_status \ + ) \ + >/dev/null + local main_exit_status=$? + + log "INFO" "Wait for all subprocesses and check their exit statuses" + local md5_exit_status sha256_exit_status + read md5_exit_status < /tmp/md5_status + read sha256_exit_status < /tmp/sha256_status + rm -f /tmp/md5_status /tmp/sha256_status + + log "INFO" "Check if any of the hash calculations failed" + if [ "$md5_exit_status" -ne 0 ] || [ "$sha256_exit_status" -ne 0 ] || [ "$main_exit_status" -ne 0 ]; then + log "ERROR" "Error during file verification." + set -e + return 1 + fi + + log "INFO" "Read computed hash values from temporary storage" + local computed_md5 computed_sha256 + read computed_md5 < /tmp/computed_md5 + read computed_sha256 < /tmp/computed_sha256 + rm -f /tmp/computed_md5 /tmp/computed_sha256 + + log "INFO" "Verify hashes" + if [ "$computed_md5" != "$expected_md5" ] || [ "$computed_sha256" != "$expected_sha256" ]; then + log "ERROR" "File verification failed." + log "ERROR" "Expected MD5: $expected_md5, Computed MD5: $computed_md5" + log "ERROR" "Expected SHA256: $expected_sha256, Computed SHA256: $computed_sha256" + set -e + return 1 + fi + + log "INFO" "File hashes verified" + set -e + return 0 +} + +# ----------------------------------------------------------------------------- +# Main restore function +# ----------------------------------------------------------------------------- +function perform_restore() { + local backup_filename_prefix=$1 + local rds_server=$2 + local aws_s3_server=$3 + + log "INFO" "Validate parameters and exports" + parameters_validate "${backup_filename_prefix}" + parameters_validate "${rds_server}" + parameters_validate "${aws_s3_server}" + + export_validate "VCAP_SERVICES" + + log "INFO" "Verify or install awscli" + run_script 'awscli_install.sh' '../../common/scripts/' || { + log "ERROR" "Failed to install or verify awscli" + set -e + exit 1 + } + + log "INFO" "Verify or install postgrescli" + run_script 'postgrescli_install.sh' '../../common/scripts/' || { + log "ERROR" "Failed to install or verify postgrescli" + set -e + exit 1 + } + + log "INFO" "add the bin dir for the new cli tools to PATH" + add_to_path '/tmp/local/bin' + + log "INFO" "check dependencies" + check_dependencies aws md5sum pg_restore unzip sha256sum + + log "INFO" "collect and configure credentials" + rds_prep "${VCAP_SERVICES}" "${rds_server}" || { + log "ERROR" "Failed to prepare RDS credentials" + set -e + exit 1 + } + + aws_s3_prep "${VCAP_SERVICES}" "${aws_s3_server}" || { + log "ERROR" "Failed to prepare AWS S3 credentials" + set -e + exit 1 + } + + log "INFO" "verify rds & s3 connectivity" + rds_test_connectivity || { + log "ERROR" "RDS connectivity test failed" + set -e + exit 1 + } + + s3_test_connectivity || { + log "ERROR" "S3 connectivity test failed" + set -e + exit 1 + } + + log "INFO" "Downloading latest backup file list" + aws_s3_get_latest_backup "${backup_filename_prefix}" || { + log "ERROR" "Failed to download latest backup file list" + set -e + exit 1 + } + + log "INFO" "Reading backup file paths from the latest backup file list" + local zip_file_path md5_file_path sha256_file_path password_file_path + read zip_file_path md5_file_path sha256_file_path password_file_path < latest_backup.txt + parameters_validate "${zip_file_path}" + parameters_validate "${md5_file_path}" + parameters_validate "${sha256_file_path}" + parameters_validate "${password_file_path}" + + log "INFO" "Downloading backup password" + local zip_password + zip_password=$(aws_s3_download_password "${password_file_path}") || { + log "ERROR" "Failed to download backup password" + set -e + exit 1 + } + + log "INFO" "Verifying the backup file from S3" + aws_s3_verify_file_integrity "${zip_file_path}" "${md5_file_path}" "${sha256_file_path}" || { + log "ERROR" "Failed to verify the backup file" + set -e + exit 1 + } + + log "INFO" "Restoring the database from the backup file" + aws s3 cp "s3://${zip_file_path}" - | funzip -P "${zip_password}" | psql || { + log "ERROR" "Database restore failed" + set -e + exit 1 + } + + log "INFO" "Database restore completed successfully" + + log "INFO" "clear the populated env vars" + rds_clear + aws_s3_clear +} + +monitor_memory $$ & + +perform_restore "$@" diff --git a/automation/manifest-process.yml b/automation/manifest-process.yml new file mode 100644 index 0000000000..e69de29bb2 diff --git a/automation/manifest-restore.yml b/automation/manifest-restore.yml new file mode 100644 index 0000000000..1ad0d4608c --- /dev/null +++ b/automation/manifest-restore.yml @@ -0,0 +1,18 @@ +--- +applications: +- name: tta-automation + stack: cflinuxfs4 + health-check-type: process + memory: 512M + disk_quota: 512M + instances: 1 + no-route: true + buildpacks: + - binary_buildpack + command: ./cf/scripts/idol.sh + services: + - ttahub-db-backups + - ttahub-process + - ttahub-staging + - ttahub-dev + - ttahub-sandbox From 67716f7f90f88bb4f6bbd55ace047546c646de12 Mon Sep 17 00:00:00 2001 From: GarrettEHill Date: Mon, 5 Aug 2024 09:18:56 -0700 Subject: [PATCH 002/138] Update config.yml --- .circleci/config.yml | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/.circleci/config.yml b/.circleci/config.yml index a9a0529cc9..67b30f5fa5 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -396,9 +396,6 @@ commands: success_message: description: "Success message for Slack notification" type: string - fail_message: - description: "Fail message for Slack notification" - type: string steps: - run: name: Install Dependencies @@ -564,7 +561,7 @@ commands: manifest: "manifest-restore.yml" success_message: ':database: "<< parameters.backup_prefix >>" Restored to "<< parameters.rds_service_name >>"' cf_process: - description: "process database from S3" + description: "Process database from S3" parameters: auth_client_secret: { type: env_var_name } cloudgov_username: { type: env_var_name } From fb1c806a18987cd1bc1e166d71292d6d43419474 Mon Sep 17 00:00:00 2001 From: GarrettEHill Date: Mon, 5 Aug 2024 09:27:30 -0700 Subject: [PATCH 003/138] Update config.yml --- .circleci/config.yml | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/.circleci/config.yml b/.circleci/config.yml index 67b30f5fa5..845c315fcf 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -569,7 +569,6 @@ commands: cloudgov_space: { type: env_var_name } rds_service_name: { type: string } s3_service_name: { type: string } - backup_prefix: { type: string } steps: - cf_automation_task: auth_client_secret: << parameters.auth_client_secret >> @@ -577,10 +576,10 @@ commands: cloudgov_password: << parameters.cloudgov_password >> cloudgov_space: << parameters.cloudgov_space >> task_name: "process" - task_command: "cd /home/vcap/app/db-restore/scripts; bash ./db_restore.sh" - task_args: '["<< parameters.backup_prefix >>", "<< parameters.rds_service_name >>", "<< parameters.s3_service_name >>"]' + task_command: "cd /home/vcap/app/db-backup/scripts; bash ./db_process.sh" + task_args: '["<< parameters.rds_service_name >>", "<< parameters.s3_service_name >>"]' manifest: "manifest-process.yml" - success_message: ':database: "<< parameters.backup_prefix >>" Restored' + success_message: ':database: Restored data processed' parameters: cg_org: description: "Cloud Foundry cloud.gov organization name" From 8a63615cad6a799f567b08384fee6f49f63287ae Mon Sep 17 00:00:00 2001 From: GarrettEHill Date: Mon, 5 Aug 2024 14:34:27 -0700 Subject: [PATCH 004/138] Update manifest-process.yml --- automation/manifest-process.yml | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/automation/manifest-process.yml b/automation/manifest-process.yml index e69de29bb2..9c8ccb0520 100644 --- a/automation/manifest-process.yml +++ b/automation/manifest-process.yml @@ -0,0 +1,14 @@ +--- +applications: +- name: tta-automation + stack: cflinuxfs4 + health-check-type: process + memory: 512M + disk_quota: 1GB + instances: 1 + no-route: true + buildpacks: + - https://github.com/cloudfoundry/nodejs-buildpack + command: ./automation/cf/scripts/idol.sh + services: + - ttahub-process From 57ad06a01cd191ffc4ea24fc0ff08143445cfcb3 Mon Sep 17 00:00:00 2001 From: GarrettEHill Date: Mon, 5 Aug 2024 14:34:41 -0700 Subject: [PATCH 005/138] Update config.yml --- .circleci/config.yml | 12 ++++-------- 1 file changed, 4 insertions(+), 8 deletions(-) diff --git a/.circleci/config.yml b/.circleci/config.yml index 845c315fcf..c1e1b6adae 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -567,8 +567,6 @@ commands: cloudgov_username: { type: env_var_name } cloudgov_password: { type: env_var_name } cloudgov_space: { type: env_var_name } - rds_service_name: { type: string } - s3_service_name: { type: string } steps: - cf_automation_task: auth_client_secret: << parameters.auth_client_secret >> @@ -576,8 +574,8 @@ commands: cloudgov_password: << parameters.cloudgov_password >> cloudgov_space: << parameters.cloudgov_space >> task_name: "process" - task_command: "cd /home/vcap/app/db-backup/scripts; bash ./db_process.sh" - task_args: '["<< parameters.rds_service_name >>", "<< parameters.s3_service_name >>"]' + task_command: "yarn processData:local" + task_args: '' manifest: "manifest-process.yml" success_message: ':database: Restored data processed' parameters: @@ -1292,8 +1290,6 @@ jobs: cloudgov_username: CLOUDGOV_PROD_USERNAME cloudgov_password: CLOUDGOV_PROD_PASSWORD cloudgov_space: CLOUDGOV_PROD_SPACE - rds_service_name: ttahub-process - s3_service_name: ttahub-db-backups process_backup: docker: - image: cimg/base:2024.05 @@ -1427,5 +1423,5 @@ workflows: equal: [true, << pipeline.parameters.manual-process >>] jobs: - restore_production_for_processing - - process_production - - process_backup + # - process_production + # - process_backup From 6141c05a0191e9ba132112b96c09314956f8613f Mon Sep 17 00:00:00 2001 From: GarrettEHill Date: Mon, 5 Aug 2024 14:43:10 -0700 Subject: [PATCH 006/138] limit to current test --- automation/manifest-restore.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/automation/manifest-restore.yml b/automation/manifest-restore.yml index 1ad0d4608c..bee82dfcb2 100644 --- a/automation/manifest-restore.yml +++ b/automation/manifest-restore.yml @@ -13,6 +13,6 @@ applications: services: - ttahub-db-backups - ttahub-process - - ttahub-staging - - ttahub-dev - - ttahub-sandbox + # - ttahub-staging + # - ttahub-dev + # - ttahub-sandbox From 11132c347364ee2c1b376e97bf6cb6bd89953543 Mon Sep 17 00:00:00 2001 From: GarrettEHill Date: Mon, 5 Aug 2024 15:10:10 -0700 Subject: [PATCH 007/138] force unbind to limit cross job access risk --- automation/ci/scripts/cf_lambda.sh | 39 ++++++++++++++++++++++++++++-- 1 file changed, 37 insertions(+), 2 deletions(-) diff --git a/automation/ci/scripts/cf_lambda.sh b/automation/ci/scripts/cf_lambda.sh index 8ce82d261a..cc0f00e174 100644 --- a/automation/ci/scripts/cf_lambda.sh +++ b/automation/ci/scripts/cf_lambda.sh @@ -308,6 +308,35 @@ function check_app_running { fi } +# Unbind all services from the application +function unbind_all_services() { + local app_name="$1" + validate_parameters "$app_name" + + log "INFO" "Unbinding all services from application $app_name..." + + # Get the list of services bound to the application + local services + services=$(cf services | grep "$app_name" | awk '{print $1}') + + if [[ -z "$services" ]]; then + log "INFO" "No services are bound to the application $app_name." + return 0 + fi + + # Loop through each service and unbind it from the application + for service in $services; do + log "INFO" "Unbinding service $service from application $app_name..." + if ! cf unbind-service "$app_name" "$service"; then + log "ERROR" "Failed to unbind service $service from application $app_name." + return 1 + fi + done + + log "INFO" "Successfully unbound all services from application $app_name." + return 0 +} + # Push the app using a manifest from a specific directory function push_app { local original_dir=$(pwd) # Save the original directory @@ -320,7 +349,11 @@ function push_app { cd "$directory" || { log "ERROR" "Failed to change directory to $directory"; cd "$original_dir"; exit 1; } # Extract app name from the manifest file - local app_name=$(grep 'name:' "$manifest_file" | awk '{print $3}' | tr -d '"') + local app_name + app_name=$(grep 'name:' "$manifest_file" | awk '{print $3}' | tr -d '"') + + # Unbind all services before pushing the app + unbind_all_services "$app_name" # Push the app without routing or starting it, capturing output local push_output @@ -340,7 +373,6 @@ function push_app { echo $app_name } - # Function to start an app function start_app { local app_name=$1 @@ -367,6 +399,9 @@ function stop_app { else log "INFO" "Application '$app_name' stopped successfully." fi + + # Unbind all services after stopping the app + unbind_all_services "$app_name" } # Function to manage the state of the application (start, restage, stop) From 44f01520a181be4b8ed2224ff24d8bcd192ff2e0 Mon Sep 17 00:00:00 2001 From: GarrettEHill Date: Mon, 5 Aug 2024 15:16:23 -0700 Subject: [PATCH 008/138] relocate the unbind when stopping --- automation/ci/scripts/cf_lambda.sh | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/automation/ci/scripts/cf_lambda.sh b/automation/ci/scripts/cf_lambda.sh index cc0f00e174..5801e7fbbc 100644 --- a/automation/ci/scripts/cf_lambda.sh +++ b/automation/ci/scripts/cf_lambda.sh @@ -392,6 +392,9 @@ function stop_app { local app_name=$1 validate_parameters "$app_name" + # Unbind all services after stopping the app + unbind_all_services "$app_name" + log "INFO" "Stopping application '$app_name'..." if ! cf stop "$app_name"; then log "ERROR" "Failed to stop application '$app_name'." @@ -399,9 +402,6 @@ function stop_app { else log "INFO" "Application '$app_name' stopped successfully." fi - - # Unbind all services after stopping the app - unbind_all_services "$app_name" } # Function to manage the state of the application (start, restage, stop) From 8b89158834331bb2f5bcdeed68bb52efaf18ab2a Mon Sep 17 00:00:00 2001 From: GarrettEHill Date: Mon, 5 Aug 2024 15:30:52 -0700 Subject: [PATCH 009/138] Update cf_lambda.sh --- automation/ci/scripts/cf_lambda.sh | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/automation/ci/scripts/cf_lambda.sh b/automation/ci/scripts/cf_lambda.sh index 5801e7fbbc..0c1e5a3197 100644 --- a/automation/ci/scripts/cf_lambda.sh +++ b/automation/ci/scripts/cf_lambda.sh @@ -313,27 +313,27 @@ function unbind_all_services() { local app_name="$1" validate_parameters "$app_name" - log "INFO" "Unbinding all services from application $app_name..." + # log "INFO" "Unbinding all services from application $app_name..." # Get the list of services bound to the application local services services=$(cf services | grep "$app_name" | awk '{print $1}') if [[ -z "$services" ]]; then - log "INFO" "No services are bound to the application $app_name." + # log "INFO" "No services are bound to the application $app_name." return 0 fi # Loop through each service and unbind it from the application for service in $services; do - log "INFO" "Unbinding service $service from application $app_name..." + # log "INFO" "Unbinding service $service from application $app_name..." if ! cf unbind-service "$app_name" "$service"; then log "ERROR" "Failed to unbind service $service from application $app_name." return 1 fi done - log "INFO" "Successfully unbound all services from application $app_name." + # log "INFO" "Successfully unbound all services from application $app_name." return 0 } From 93219604f2e4c72ba099765764f6c8033d80995e Mon Sep 17 00:00:00 2001 From: GarrettEHill Date: Mon, 5 Aug 2024 15:42:19 -0700 Subject: [PATCH 010/138] Update db_restore.sh --- automation/db-backup/scripts/db_restore.sh | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/automation/db-backup/scripts/db_restore.sh b/automation/db-backup/scripts/db_restore.sh index 901affe3a2..f765187b3c 100644 --- a/automation/db-backup/scripts/db_restore.sh +++ b/automation/db-backup/scripts/db_restore.sh @@ -420,6 +420,21 @@ function aws_s3_get_latest_backup() { log "INFO" "Downloading latest backup file list from S3..." if aws s3 cp "s3://${AWS_DEFAULT_BUCKET}/${backup_filename_prefix}/${latest_backup_filename}" - > latest_backup.txt; then log "INFO" "Successfully downloaded latest backup file list." + + # Check if the file exists and is not empty + if [ -f latest_backup.txt ]; then + if [ -s latest_backup.txt ]; then + log "INFO" "Latest backup file list exists and is not empty." + else + log "ERROR" "Downloaded latest backup file list is empty." + set -e + return 1 + fi + else + log "ERROR" "Downloaded latest backup file list does not exist." + set -e + return 1 + fi else log "ERROR" "Failed to download latest backup file list." set -e @@ -427,6 +442,7 @@ function aws_s3_get_latest_backup() { fi } + # Function to download the backup password from S3 function aws_s3_download_password() { local password_file_path=$1 @@ -567,6 +583,8 @@ function perform_restore() { exit 1 } + cat latest_backup.txt + log "INFO" "Reading backup file paths from the latest backup file list" local zip_file_path md5_file_path sha256_file_path password_file_path read zip_file_path md5_file_path sha256_file_path password_file_path < latest_backup.txt From 5b3b808f8dbe60677824436c750241a63ce62212 Mon Sep 17 00:00:00 2001 From: GarrettEHill Date: Mon, 5 Aug 2024 16:33:03 -0700 Subject: [PATCH 011/138] match logic in latest_backup.sh --- automation/db-backup/scripts/db_restore.sh | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/automation/db-backup/scripts/db_restore.sh b/automation/db-backup/scripts/db_restore.sh index f765187b3c..36238b4c35 100644 --- a/automation/db-backup/scripts/db_restore.sh +++ b/automation/db-backup/scripts/db_restore.sh @@ -587,7 +587,10 @@ function perform_restore() { log "INFO" "Reading backup file paths from the latest backup file list" local zip_file_path md5_file_path sha256_file_path password_file_path - read zip_file_path md5_file_path sha256_file_path password_file_path < latest_backup.txt + zip_file_path=$(awk 'NR==1' latest_backup.txt) + md5_file_path="${backup_file_name%.zip}.md5" + sha256_file_path="${backup_file_name%.zip}.sha256" + password_file_path="${backup_file_name%.zip}.pwd" parameters_validate "${zip_file_path}" parameters_validate "${md5_file_path}" parameters_validate "${sha256_file_path}" From 553a5a510f4383af1f683f23dcccad15d0e1c67f Mon Sep 17 00:00:00 2001 From: GarrettEHill Date: Mon, 5 Aug 2024 16:36:47 -0700 Subject: [PATCH 012/138] Update db_restore.sh --- automation/db-backup/scripts/db_restore.sh | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/automation/db-backup/scripts/db_restore.sh b/automation/db-backup/scripts/db_restore.sh index 36238b4c35..3ba6393ccb 100644 --- a/automation/db-backup/scripts/db_restore.sh +++ b/automation/db-backup/scripts/db_restore.sh @@ -588,9 +588,9 @@ function perform_restore() { log "INFO" "Reading backup file paths from the latest backup file list" local zip_file_path md5_file_path sha256_file_path password_file_path zip_file_path=$(awk 'NR==1' latest_backup.txt) - md5_file_path="${backup_file_name%.zip}.md5" - sha256_file_path="${backup_file_name%.zip}.sha256" - password_file_path="${backup_file_name%.zip}.pwd" + md5_file_path="${zip_file_path%.zip}.md5" + sha256_file_path="${zip_file_path%.zip}.sha256" + password_file_path="${zip_file_path%.zip}.pwd" parameters_validate "${zip_file_path}" parameters_validate "${md5_file_path}" parameters_validate "${sha256_file_path}" From f2f12ae2b22b40b726c39369fd09706c14867ac6 Mon Sep 17 00:00:00 2001 From: GarrettEHill Date: Mon, 5 Aug 2024 16:54:51 -0700 Subject: [PATCH 013/138] Update db_restore.sh --- automation/db-backup/scripts/db_restore.sh | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/automation/db-backup/scripts/db_restore.sh b/automation/db-backup/scripts/db_restore.sh index 3ba6393ccb..a057da0edb 100644 --- a/automation/db-backup/scripts/db_restore.sh +++ b/automation/db-backup/scripts/db_restore.sh @@ -583,8 +583,6 @@ function perform_restore() { exit 1 } - cat latest_backup.txt - log "INFO" "Reading backup file paths from the latest backup file list" local zip_file_path md5_file_path sha256_file_path password_file_path zip_file_path=$(awk 'NR==1' latest_backup.txt) @@ -612,7 +610,11 @@ function perform_restore() { } log "INFO" "Restoring the database from the backup file" - aws s3 cp "s3://${zip_file_path}" - | funzip -P "${zip_password}" | psql || { + set -x + set -o pipefail + aws s3 cp "s3://${zip_file_path}" - |\ + funzip -P "${zip_password}" |\ + PGPASSWORD="${PGPASSWORD}" psql -h "${PGHOST}" -U "${PGUSER}" -d "${PGDATABASE}" -p "${PGPORT}" || { log "ERROR" "Database restore failed" set -e exit 1 From 2bdc889f0e048e355e5929f3b93358347586eb05 Mon Sep 17 00:00:00 2001 From: GarrettEHill Date: Mon, 5 Aug 2024 17:05:39 -0700 Subject: [PATCH 014/138] more magic --- automation/db-backup/scripts/db_restore.sh | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/automation/db-backup/scripts/db_restore.sh b/automation/db-backup/scripts/db_restore.sh index a057da0edb..0c64f4e7cf 100644 --- a/automation/db-backup/scripts/db_restore.sh +++ b/automation/db-backup/scripts/db_restore.sh @@ -613,8 +613,11 @@ function perform_restore() { set -x set -o pipefail aws s3 cp "s3://${zip_file_path}" - |\ - funzip -P "${zip_password}" |\ - PGPASSWORD="${PGPASSWORD}" psql -h "${PGHOST}" -U "${PGUSER}" -d "${PGDATABASE}" -p "${PGPORT}" || { + funzip |\ + dd of=/dev/stdout |\ + unzip -p - -P "${zip_password}" -- - |\ + PGPASSWORD="${PGPASSWORD}" psql -h "${PGHOST}" -U "${PGUSER}" -d "${PGDATABASE}" -p "${PGPORT}" ||\ + { log "ERROR" "Database restore failed" set -e exit 1 From a2065886913b15fe513c3350be82707af86e9b12 Mon Sep 17 00:00:00 2001 From: GarrettEHill Date: Mon, 5 Aug 2024 17:15:19 -0700 Subject: [PATCH 015/138] Update db_restore.sh --- automation/db-backup/scripts/db_restore.sh | 28 +++++++++++++++------- 1 file changed, 20 insertions(+), 8 deletions(-) diff --git a/automation/db-backup/scripts/db_restore.sh b/automation/db-backup/scripts/db_restore.sh index 0c64f4e7cf..fb3c6d5eb8 100644 --- a/automation/db-backup/scripts/db_restore.sh +++ b/automation/db-backup/scripts/db_restore.sh @@ -612,16 +612,28 @@ function perform_restore() { log "INFO" "Restoring the database from the backup file" set -x set -o pipefail - aws s3 cp "s3://${zip_file_path}" - |\ - funzip |\ - dd of=/dev/stdout |\ - unzip -p - -P "${zip_password}" -- - |\ - PGPASSWORD="${PGPASSWORD}" psql -h "${PGHOST}" -U "${PGUSER}" -d "${PGDATABASE}" -p "${PGPORT}" ||\ - { - log "ERROR" "Database restore failed" + + mkfifo temp_fifo + + if aws s3 cp "s3://${zip_file_path}" - | unzip -P "${zip_password}" -p - -- - > temp_fifo & then + log "INFO" "Streamed and extracted file successfully." + else + log "ERROR" "Error during streaming or extraction." + rm temp_fifo set -e exit 1 - } + fi + + if PGPASSWORD="${PGPASSWORD}" psql -h "${PGHOST}" -U "${PGUSER}" -d "${PGDATABASE}" -p "${PGPORT}" < temp_fifo; then + log "INFO" "Data restored successfully." + else + log "ERROR" "Error during data restoration." + rm temp_fifo + set -e + exit 1 + fi + + rm temp_fifo log "INFO" "Database restore completed successfully" From ce0481317fe974e7243c12f142723e12f80b86b2 Mon Sep 17 00:00:00 2001 From: GarrettEHill Date: Tue, 6 Aug 2024 11:39:37 -0700 Subject: [PATCH 016/138] switch to zenc --- automation/db-backup/scripts/db_backup.sh | 71 ++++-------- automation/db-backup/scripts/db_restore.sh | 49 +++----- bin/latest_backup.sh | 129 +++++++++++++-------- 3 files changed, 123 insertions(+), 126 deletions(-) diff --git a/automation/db-backup/scripts/db_backup.sh b/automation/db-backup/scripts/db_backup.sh index 0c0f4421ec..776cc8e4f9 100644 --- a/automation/db-backup/scripts/db_backup.sh +++ b/automation/db-backup/scripts/db_backup.sh @@ -342,12 +342,6 @@ function rds_test_connectivity() { fi } -function rds_dump_prep() { - rds_validate - - # all arguments are read from exports directly - echo "pg_dump" -} # ----------------------------------------------------------------------------- # ----------------------------------------------------------------------------- @@ -477,7 +471,7 @@ function aws_s3_safe_remove_file() { } aws_s3_verify_file_integrity() { - local zip_file_path="$1" + local backup_file_path="$1" local md5_file_path="$2" local sha256_file_path="$3" @@ -489,7 +483,7 @@ aws_s3_verify_file_integrity() { log "INFO" "Prepare the command to stream the S3 file and calculate hashes" set +e log "INFO" "Execute the command and capture its exit status" - aws s3 cp "s3://${zip_file_path}" - |\ + aws s3 cp "s3://${backup_file_path}" - |\ tee \ >(sha256sum |\ awk '{print $1}' > /tmp/computed_sha256 &\ @@ -519,7 +513,6 @@ aws_s3_verify_file_integrity() { local computed_md5 computed_sha256 read computed_md5 < /tmp/computed_md5 read computed_sha256 < /tmp/computed_sha256 - rm -f /tmp/computed_md5 /tmp/computed_sha256 log "INFO" "Verify hashes" if [ "$computed_md5" != "$expected_md5" ] || [ "$computed_sha256" != "$expected_sha256" ]; then @@ -531,6 +524,7 @@ aws_s3_verify_file_integrity() { fi log "INFO" "File hashes verified" + rm -f /tmp/computed_md5 /tmp/computed_sha256 set -e return 0 } @@ -539,14 +533,6 @@ aws_s3_verify_file_integrity() { # ----------------------------------------------------------------------------- # Backup & Upload helper functions # ----------------------------------------------------------------------------- -zip_prep() { - local zip_password=$1 - - parameters_validate "${zip_password}" - - echo "zip -P \"${zip_password}\" - -" -} - perform_backup_and_upload() { local backup_filename_prefix=$1 @@ -554,27 +540,19 @@ perform_backup_and_upload() { local s3_bucket=$AWS_DEFAULT_BUCKET - local zip_password timestamp - zip_password=$(openssl rand -base64 12) + local backup_password timestamp + backup_password=$(openssl rand -base64 12) timestamp="$(date --utc +%Y-%m-%d-%H-%M-%S)-UTC" - local zip_filename="${backup_filename_prefix}-${timestamp}.sql.zip" + local backup_filename="${backup_filename_prefix}-${timestamp}.sql.zenc" local md5_filename="${backup_filename_prefix}-${timestamp}.sql.md5" local sha256_filename="${backup_filename_prefix}-${timestamp}.sql.sha256" local password_filename="${backup_filename_prefix}-${timestamp}.sql.pwd" local latest_backup_filename="${backup_filename_prefix}-latest-backup.txt" - local rds_dump_cmd - rds_dump_cmd=$(rds_dump_prep) - parameters_validate "${rds_dump_cmd}" - - local zip_cmd - zip_cmd=$(zip_prep "${zip_password}") - parameters_validate "${zip_cmd}" - - local aws_s3_copy_zip_file_cmd - aws_s3_copy_zip_file_cmd=$(aws_s3_copy_file_prep "$zip_filename" "${backup_filename_prefix}") - parameters_validate "${aws_s3_copy_zip_file_cmd}" + local aws_s3_copy_backup_file_cmd + aws_s3_copy_backup_file_cmd=$(aws_s3_copy_file_prep "$backup_filename" "${backup_filename_prefix}") + parameters_validate "${aws_s3_copy_backup_file_cmd}" local aws_s3_copy_md5_file_cmd aws_s3_copy_md5_file_cmd=$(aws_s3_copy_file_prep "$md5_filename" "${backup_filename_prefix}") @@ -595,7 +573,8 @@ perform_backup_and_upload() { log "INFO" "Execute the command and capture its exit status" set +e pg_dump |\ - zip -P "${zip_password}" - - |\ + gzip |\ + openssl enc -aes-256-cbc -salt -k "${backup_password}" |\ tee \ >(md5sum |\ awk '{print $1}' |\ @@ -607,7 +586,7 @@ perform_backup_and_upload() { aws s3 cp - "s3://${s3_bucket}/${backup_filename_prefix}/${sha256_filename}" ;\ echo $? > /tmp/sha256_status \ ) |\ - aws s3 cp - "s3://${s3_bucket}/${backup_filename_prefix}/${zip_filename}" + aws s3 cp - "s3://${s3_bucket}/${backup_filename_prefix}/${backup_filename}" local main_exit_status=$? log "INFO" "Wait for all subprocesses and check their exit statuses" @@ -623,34 +602,34 @@ perform_backup_and_upload() { log "INFO" "Check if any of the backup uploads or integrity checks failed" if [ "$md5_exit_status" -ne 0 ] || [ "$sha256_exit_status" -ne 0 ] || [ "$main_exit_status" -ne 0 ]; then log "ERROR" "Backup upload failed." - aws_s3_safe_remove_file "${zip_filename}" + aws_s3_safe_remove_file "${backup_filename}" aws_s3_safe_remove_file "${md5_filename}" aws_s3_safe_remove_file "${sha256_filename}" set -e return 1 fi - log "INFO" "Upload the ZIP password" - if ! echo -n "${zip_password}" |\ + log "INFO" "Upload the backup password" + if ! echo -n "${backup_password}" |\ eval "$aws_s3_copy_password_file_cmd"; then log "ERROR" "Password file upload failed." aws_s3_safe_remove_file "${password_filename}" - aws_s3_safe_remove_file "${zip_filename}" + aws_s3_safe_remove_file "${backup_filename}" aws_s3_safe_remove_file "${md5_filename}" aws_s3_safe_remove_file "${sha256_filename}" set -e return 1 fi - local zip_file_path="${s3_bucket}/${backup_filename_prefix}/${zip_filename}" + local backup_file_path="${s3_bucket}/${backup_filename_prefix}/${backup_filename}" local md5_file_path="${s3_bucket}/${backup_filename_prefix}/${md5_filename}" local sha256_file_path="${s3_bucket}/${backup_filename_prefix}/${sha256_filename}" local password_file_path="${s3_bucket}/${backup_filename_prefix}/${password_filename}" - if ! aws_s3_verify_file_integrity "${zip_file_path}" "${md5_file_path}" "${sha256_file_path}"; then + if ! aws_s3_verify_file_integrity "${backup_file_path}" "${md5_file_path}" "${sha256_file_path}"; then log "ERROR" "Verification of file integrity check failed" aws_s3_safe_remove_file "${password_filename}" - aws_s3_safe_remove_file "${zip_filename}" + aws_s3_safe_remove_file "${backup_filename}" aws_s3_safe_remove_file "${md5_filename}" aws_s3_safe_remove_file "${sha256_filename}" set -e @@ -658,7 +637,7 @@ perform_backup_and_upload() { fi log "INFO" "Update the latest backup file list" - if ! printf "%s\n%s\n%s\n%s" "${zip_file_path}" "${md5_file_path}" "${sha256_file_path}" "${password_file_path}" |\ + if ! printf "%s\n%s\n%s\n%s" "${backup_file_path}" "${md5_file_path}" "${sha256_file_path}" "${password_file_path}" |\ eval "${aws_s3_copy_latest_backup_file_cmd}"; then log "ERROR" "Latest backup file list upload failed." set -e @@ -712,7 +691,7 @@ backup_retention() { delete_backup_set() { BASE_NAME=$1 - for EXT in ".zip" ".pwd" ".md5" ".sha256"; do + for EXT in ".zenc" ".pwd" ".md5" ".sha256"; do KEY="${BASE_NAME}${EXT}" log "INFO" "Deleting $KEY" aws s3 rm "s3://${s3_bucket}/${KEY}" || { @@ -793,7 +772,7 @@ function main() { set -e exit 1 } - + log "INFO" "Verify or install postgrescli" run_script 'postgrescli_install.sh' '../../common/scripts/' || { log "ERROR" "Failed to install or verify postgrescli" @@ -805,7 +784,7 @@ function main() { add_to_path '/tmp/local/bin' log "INFO" "check dependencies" - check_dependencies aws md5sum openssl pg_dump pg_isready sha256sum zip + check_dependencies aws md5sum openssl pg_dump pg_isready sha256sum gzip log "INFO" "collect and configure credentials" rds_prep "${VCAP_SERVICES}" "${rds_server}" || { @@ -813,7 +792,7 @@ function main() { set -e exit 1 } - + aws_s3_prep "${VCAP_SERVICES}" "${aws_s3_server}" || { log "ERROR" "Failed to prepare AWS S3 credentials" set -e @@ -826,7 +805,7 @@ function main() { set -e exit 1 } - + s3_test_connectivity || { log "ERROR" "S3 connectivity test failed" set -e diff --git a/automation/db-backup/scripts/db_restore.sh b/automation/db-backup/scripts/db_restore.sh index fb3c6d5eb8..69e470e247 100644 --- a/automation/db-backup/scripts/db_restore.sh +++ b/automation/db-backup/scripts/db_restore.sh @@ -457,7 +457,7 @@ function aws_s3_download_password() { # Verify the integrity of the file downloaded from S3 function aws_s3_verify_file_integrity() { - local zip_file_path="$1" + local backup_file_path="$1" local md5_file_path="$2" local sha256_file_path="$3" @@ -469,7 +469,7 @@ function aws_s3_verify_file_integrity() { log "INFO" "Prepare the command to stream the S3 file and calculate hashes" set +e log "INFO" "Execute the command and capture its exit status" - aws s3 cp "s3://${zip_file_path}" - |\ + aws s3 cp "s3://${backup_file_path}" - |\ tee \ >(sha256sum |\ awk '{print $1}' > /tmp/computed_sha256 &\ @@ -548,7 +548,7 @@ function perform_restore() { add_to_path '/tmp/local/bin' log "INFO" "check dependencies" - check_dependencies aws md5sum pg_restore unzip sha256sum + check_dependencies aws md5sum pg_restore sha256sum gzip openssl log "INFO" "collect and configure credentials" rds_prep "${VCAP_SERVICES}" "${rds_server}" || { @@ -584,26 +584,26 @@ function perform_restore() { } log "INFO" "Reading backup file paths from the latest backup file list" - local zip_file_path md5_file_path sha256_file_path password_file_path - zip_file_path=$(awk 'NR==1' latest_backup.txt) - md5_file_path="${zip_file_path%.zip}.md5" - sha256_file_path="${zip_file_path%.zip}.sha256" - password_file_path="${zip_file_path%.zip}.pwd" - parameters_validate "${zip_file_path}" + local backup_file_path md5_file_path sha256_file_path password_file_path + backup_file_path=$(awk 'NR==1' latest_backup.txt) + md5_file_path="${backup_file_path%.gzenc}.md5" + sha256_file_path="${backup_file_path%.gzenc}.sha256" + password_file_path="${backup_file_path%.gzenc}.pwd" + parameters_validate "${backup_file_path}" parameters_validate "${md5_file_path}" parameters_validate "${sha256_file_path}" parameters_validate "${password_file_path}" log "INFO" "Downloading backup password" - local zip_password - zip_password=$(aws_s3_download_password "${password_file_path}") || { + local backup_password + backup_password=$(aws_s3_download_password "${password_file_path}") || { log "ERROR" "Failed to download backup password" set -e exit 1 } log "INFO" "Verifying the backup file from S3" - aws_s3_verify_file_integrity "${zip_file_path}" "${md5_file_path}" "${sha256_file_path}" || { + aws_s3_verify_file_integrity "${backup_file_path}" "${md5_file_path}" "${sha256_file_path}" || { log "ERROR" "Failed to verify the backup file" set -e exit 1 @@ -613,27 +613,10 @@ function perform_restore() { set -x set -o pipefail - mkfifo temp_fifo - - if aws s3 cp "s3://${zip_file_path}" - | unzip -P "${zip_password}" -p - -- - > temp_fifo & then - log "INFO" "Streamed and extracted file successfully." - else - log "ERROR" "Error during streaming or extraction." - rm temp_fifo - set -e - exit 1 - fi - - if PGPASSWORD="${PGPASSWORD}" psql -h "${PGHOST}" -U "${PGUSER}" -d "${PGDATABASE}" -p "${PGPORT}" < temp_fifo; then - log "INFO" "Data restored successfully." - else - log "ERROR" "Error during data restoration." - rm temp_fifo - set -e - exit 1 - fi - - rm temp_fifo + aws s3 cp "s3://${AWS_DEFAULT_BUCKET}/${backup_file_path}" - |\ + openssl enc -d -aes-256-cbc -k "${backup_password}" |\ + gzip -d |\ + PGPASSWORD="${PGPASSWORD}" psql -h "${PGHOST}" -U "${PGUSER}" -d "${PGDATABASE}" -p "${PGPORT}" log "INFO" "Database restore completed successfully" diff --git a/bin/latest_backup.sh b/bin/latest_backup.sh index f4918a2c4b..458d2d04af 100644 --- a/bin/latest_backup.sh +++ b/bin/latest_backup.sh @@ -151,39 +151,40 @@ generate_presigned_urls() { echo "${urls[@]}" } -# Function to list all ZIP files in the same S3 path as the latest backup -list_all_zip_files() { +# Function to list all ZIP and ZENC files in the same S3 path as the latest backup +list_all_backup_files() { local bucket_name=$1 local s3_folder=$2 - local zip_files=$(aws s3 ls "s3://${bucket_name}/${s3_folder}" --recursive | grep '.zip\|.pwd\|.md5\|.sha256') - if [ -z "${zip_files}" ]; then - echo "No ZIP files found in S3 bucket." + local backup_files=$(aws s3 ls "s3://${bucket_name}/${s3_folder}" --recursive | grep -E '\.zip|\.zenc|\.pwd|\.md5|\.sha256') + if [ -z "${backup_files}" ]; then + echo "No backup files found in S3 bucket." else - echo "ZIP files in S3 bucket:" - printf "%-50s %-5s %-5s %-5s %-15s %-5s\n" "Name" "pwd" "md5" "sha256" "size(zip)" "age(days)" + echo "Backup files in S3 bucket:" + printf "%-50s %-7s %-5s %-5s %-5s %-15s %-5s\n" "Name" "Format" "pwd" "md5" "sha256" "size" "age(days)" current_date=$(date +%s) - echo "${zip_files}" | \ + echo "${backup_files}" | \ while read line; do \ echo "${line##*.} ${line}";\ done |\ sort -rk5 |\ tr '\n' ' ' | \ - sed 's~ zip ~\nzip ~g' |\ + sed 's~ \(zip\|zenc\) ~\n& ~g' |\ while read line; do - zip_file=$(echo ${line} | awk '{split($5, a, "/"); print a[length(a)]}'); + backup_file=$(echo ${line} | awk '{split($5, a, "/"); print a[length(a)]}'); + format=$(echo ${line} | awk '{print $1}') has_pwd=$([[ $line == *" pwd "* ]] && echo "x" || echo ""); has_md5=$([[ $line == *" md5 "* ]] && echo "x" || echo ""); has_sha256=$([[ $line == *" sha256 "* ]] && echo "x" || echo ""); - zip_size=$(numfmt --to=iec-i --suffix=B $(echo ${line} | awk '{print $4}')); + backup_size=$(numfmt --to=iec-i --suffix=B $(echo ${line} | awk '{print $4}')); # Determine OS and use appropriate date command if [[ "$OSTYPE" == "darwin"* ]]; then - zip_age=$(( ( $(date +%s) - $(date -j -f "%Y-%m-%d" "$(echo ${line} | awk '{print $2}')" +%s) ) / 86400 )) + backup_age=$(( ( $(date +%s) - $(date -j -f "%Y-%m-%d" "$(echo ${line} | awk '{print $2}')" +%s) ) / 86400 )) else - zip_age=$(( ( $(date +%s) - $(date -d "$(echo ${line} | awk '{print $2}')" +%s) ) / 86400 )) + backup_age=$(( ( $(date +%s) - $(date -d "$(echo ${line} | awk '{print $2}')" +%s) ) / 86400 )) fi - printf "%-50s %-5s %-5s %-5s %-15s %-5s\n" "$zip_file" "$has_pwd" "$has_md5" "$has_sha256" "$zip_size" "$zip_age"; + printf "%-50s %-7s %-5s %-5s %-5s %-15s %-5s\n" "$backup_file" "$format" "$has_pwd" "$has_md5" "$has_sha256" "$backup_size" "$backup_age"; done |\ sort -k1 fi @@ -202,20 +203,21 @@ verify_file_exists() { # Function to download and verify files download_and_verify() { - local zip_url=$1 - local zip_file_name=$2 + local backup_url=$1 + local backup_file_name=$2 local password_url=$3 local md5_url=$4 local sha256_url=$5 + local format=$6 # Check if wget is installed if command -v wget &>/dev/null; then echo "Using wget to download the file." - wget -O "$zip_file_name" "$zip_url" + downloader="wget -O -" else # If wget is not installed, use curl echo "wget is not installed. Using curl to download the file." - curl -o "$zip_file_name" "$zip_url" + downloader="curl -s" fi # Download password, SHA-256 checksum, and MD5 checksum directly into variables @@ -223,59 +225,83 @@ download_and_verify() { local checksum_sha256=$(curl -s "$sha256_url") local checksum_md5=$(curl -s "$md5_url") + # Download file and generate hashes simultaneously + echo "Downloading file and generating hashes..." + $downloader "$backup_url" |\ + tee + >(sha256sum | awk '{print $1}' > "${backup_file_name}.sha256") \ + >(md5sum | awk '{print $1}' > "${backup_file_name}.md5") \ + > "$backup_file_name" + # Verify SHA-256 checksum echo "Verifying SHA-256 checksum..." - echo "$checksum_sha256 $zip_file_name" | sha256sum -c - if [ $? -ne 0 ]; then + if [[ $(cat "${backup_file_name}.sha256") != "$checksum_sha256" ]]; then echo "SHA-256 checksum verification failed." exit 1 else echo "SHA-256 checksum verified." fi + rm "${backup_file_name}.sha256" # Verify MD5 checksum echo "Verifying MD5 checksum..." - echo "$checksum_md5 $zip_file_name" | md5sum -c - if [ $? -ne 0 ]; then + if [[ $(cat "${backup_file_name}.md5") != "$checksum_md5" ]]; then echo "MD5 checksum verification failed." exit 1 else echo "MD5 checksum verified." fi + rm "${backup_file_name}.md5" - # Unzip the file - echo "Unzipping the file..." - unzip -P "$password" "$zip_file_name" - if [ $? -eq 0 ]; then - echo "File unzipped successfully." - - # Rename the extracted file - extracted_file="-" - new_name="${zip_file_name%.zip}" - mv "$extracted_file" "$new_name" + if [ "$format" = "zip" ]; then + # Unzip the file + echo "Unzipping the file..." + unzip -P "$password" "$backup_file_name" if [ $? -eq 0 ]; then - echo "File renamed to $new_name." + echo "File unzipped successfully." + # Rename the extracted file + extracted_file=$(unzip -l "$backup_file_name" | awk 'NR==4 {print $4}') + new_name="${backup_file_name%.zip}" + mv "$extracted_file" "$new_name" + if [ $? -eq 0 ]; then + echo "File renamed to $new_name." + else + echo "Failed to rename the file." + exit 1 + fi else - echo "Failed to rename the file." + echo "Failed to unzip the file." + exit 1 + fi + elif [ "$format" = "zenc" ]; then + # Decrypt and decompress the already downloaded file + echo "Decrypting and decompressing the file..." + openssl enc -d -aes-256-cbc -k "$password" -in "$backup_file_name" |\ + gzip -d -c > "${backup_file_name%.zenc}" + if [ $? -eq 0 ]; then + echo "File decrypted and decompressed successfully." + else + echo "Failed to decrypt and decompress the file." exit 1 fi else - echo "Failed to unzip the file." + echo "Unknown backup format: $format" exit 1 fi } + # Function to erase a set of files from S3 erase_files() { local bucket_name=$1 local s3_folder=$2 - local zip_file=$3 + local backup_file=$3 - local pwd_file="${zip_file%.zip}.pwd" - local md5_file="${zip_file%.zip}.md5" - local sha256_file="${zip_file%.zip}.sha256" + local pwd_file="${backup_file%.zip}.pwd" + local md5_file="${backup_file%.zip}.md5" + local sha256_file="${backup_file%.zip}.sha256" - local files_to_delete=("$zip_file" "$pwd_file" "$md5_file" "$sha256_file") + local files_to_delete=("$backup_file" "$pwd_file" "$md5_file" "$sha256_file") echo "Deleting files from S3:" for file in "${files_to_delete[@]}"; do @@ -300,7 +326,7 @@ fetch_latest_backup_info_and_cleanup() { local cf_s3_service_name="${cf_s3_service_name:-ttahub-db-backups}" # Default to 'db-backups' if not provided local s3_folder="${s3_folder:-production}" # Default to root of the bucket if not provided local deletion_allowed="${deletion_allowed:-no}" # Default to no deletion if not provided - local list_zip_files="${list_zip_files:-no}" # Default to no listing of ZIP files if not provided + local list_backup_files="${list_backup_files:-no}" # Default to no listing of ZIP files if not provided local specific_file="${specific_file:-}" local download_and_verify="${download_and_verify:-no}" local erase_file="${erase_file:-}" @@ -332,9 +358,9 @@ fetch_latest_backup_info_and_cleanup() { elif [ "${erase_file}" != "" ]; then # Erase the specified file along with its corresponding pwd, md5, and sha256 files erase_files "$bucket_name" "$s3_folder" "$erase_file" - elif [ "${list_zip_files}" = "yes" ]; then - # List all ZIP files if the option is enabled - list_all_zip_files "$bucket_name" "$s3_folder" + elif [ "${list_backup_files}" = "yes" ]; then + # List all ZIP and ZENC files if the option is enabled + list_all_backup_files "$bucket_name" "$s3_folder" else if [ -n "$specific_file" ]; then backup_file_name="${s3_folder}/${specific_file}" @@ -357,13 +383,22 @@ fetch_latest_backup_info_and_cleanup() { local sha256_file_name="${backup_file_name%.zip}.sha256" local password_file_name="${backup_file_name%.zip}.pwd" + # Determine the backup format + local format="zip" + if [[ "$backup_file_name" == *.zenc ]]; then + format="zenc" + md5_file_name="${backup_file_name%.zenc}.md5" + sha256_file_name="${backup_file_name%.zenc}.sha256" + password_file_name="${backup_file_name%.zenc}.pwd" + fi + # Generate presigned URLs for these files local urls IFS=' ' read -r -a urls <<< "$(generate_presigned_urls "$bucket_name" "$backup_file_name" "$password_file_name" "$md5_file_name" "$sha256_file_name")" if [ "${download_and_verify}" = "yes" ]; then # Perform download and verify functionality - download_and_verify "${urls[0]}" "$(basename "$backup_file_name")" "${urls[1]}" "${urls[2]}" "${urls[3]}" + download_and_verify "${urls[0]}" "$(basename "$backup_file_name")" "${urls[1]}" "${urls[2]}" "${urls[3]}" "$format" else # Print presigned URLs echo "Presigned URLs for the files:" @@ -385,12 +420,12 @@ while [[ "$#" -gt 0 ]]; do -n|--service-name) cf_s3_service_name="$2"; shift ;; -s|--s3-folder) s3_folder="$2"; shift ;; -a|--allow-deletion) deletion_allowed="yes" ;; - -l|--list-zip-files) list_zip_files="yes" ;; + -l|--list-backup-files) list_backup_files="yes" ;; -f|--specific-file) specific_file="$2"; shift ;; -d|--download-and-verify) download_and_verify="yes"; deletion_allowed="yes" ;; -e|--erase-file) erase_file="$2"; shift ;; -k|--delete-old-keys) delete_old_keys="yes" ;; - -h|--help) echo "Usage: $0 [-n | --service-name ] [-s | --s3-folder ] [-a | --allow-deletion] [-l | --list-zip-files] [-f | --specific-file ] [-d | --download-and-verify] [-e | --erase-file ] [-k | --delete-old-keys]"; exit 0 ;; + -h|--help) echo "Usage: $0 [-n | --service-name ] [-s | --s3-folder ] [-a | --allow-deletion] [-l | --list-backup-files] [-f | --specific-file ] [-d | --download-and-verify] [-e | --erase-file ] [-k | --delete-old-keys]"; exit 0 ;; *) echo "Unknown parameter passed: $1"; exit 12 ;; esac shift From 92ef784a321a3c95a932352e5aa94d38ea6eeeb5 Mon Sep 17 00:00:00 2001 From: GarrettEHill Date: Tue, 6 Aug 2024 13:26:39 -0700 Subject: [PATCH 017/138] Update cf_lambda.sh --- automation/ci/scripts/cf_lambda.sh | 12 ++++-------- 1 file changed, 4 insertions(+), 8 deletions(-) diff --git a/automation/ci/scripts/cf_lambda.sh b/automation/ci/scripts/cf_lambda.sh index 0c1e5a3197..583c6bd40b 100644 --- a/automation/ci/scripts/cf_lambda.sh +++ b/automation/ci/scripts/cf_lambda.sh @@ -313,30 +313,26 @@ function unbind_all_services() { local app_name="$1" validate_parameters "$app_name" - # log "INFO" "Unbinding all services from application $app_name..." - # Get the list of services bound to the application local services - services=$(cf services | grep "$app_name" | awk '{print $1}') + services=$(cf services | grep "$app_name" | awk '{print $1}') >&2 if [[ -z "$services" ]]; then - # log "INFO" "No services are bound to the application $app_name." return 0 fi # Loop through each service and unbind it from the application for service in $services; do - # log "INFO" "Unbinding service $service from application $app_name..." - if ! cf unbind-service "$app_name" "$service"; then + if ! cf unbind-service "$app_name" "$service" >&2; then log "ERROR" "Failed to unbind service $service from application $app_name." return 1 fi done - # log "INFO" "Successfully unbound all services from application $app_name." return 0 } + # Push the app using a manifest from a specific directory function push_app { local original_dir=$(pwd) # Save the original directory @@ -370,7 +366,7 @@ function push_app { # Log and return the app name log "INFO" "The app name is: $app_name" - echo $app_name + echo "$app_name" # Ensure only the app name is returned } # Function to start an app From c72f0f3b435f45fa1bc8409d2525199fadf6cfb1 Mon Sep 17 00:00:00 2001 From: GarrettEHill Date: Tue, 6 Aug 2024 13:37:24 -0700 Subject: [PATCH 018/138] tweak to remove warning --- automation/db-backup/scripts/db_backup.sh | 2 +- automation/db-backup/scripts/db_restore.sh | 2 +- bin/latest_backup.sh | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/automation/db-backup/scripts/db_backup.sh b/automation/db-backup/scripts/db_backup.sh index 776cc8e4f9..14872903d1 100644 --- a/automation/db-backup/scripts/db_backup.sh +++ b/automation/db-backup/scripts/db_backup.sh @@ -574,7 +574,7 @@ perform_backup_and_upload() { set +e pg_dump |\ gzip |\ - openssl enc -aes-256-cbc -salt -k "${backup_password}" |\ + openssl enc -aes-256-cbc -salt -pbkdf2 -k "${backup_password}" |\ tee \ >(md5sum |\ awk '{print $1}' |\ diff --git a/automation/db-backup/scripts/db_restore.sh b/automation/db-backup/scripts/db_restore.sh index 69e470e247..8183ece816 100644 --- a/automation/db-backup/scripts/db_restore.sh +++ b/automation/db-backup/scripts/db_restore.sh @@ -614,7 +614,7 @@ function perform_restore() { set -o pipefail aws s3 cp "s3://${AWS_DEFAULT_BUCKET}/${backup_file_path}" - |\ - openssl enc -d -aes-256-cbc -k "${backup_password}" |\ + openssl enc -d -aes-256-cbc -salt -pbkdf2 -k "${backup_password}" |\ gzip -d |\ PGPASSWORD="${PGPASSWORD}" psql -h "${PGHOST}" -U "${PGUSER}" -d "${PGDATABASE}" -p "${PGPORT}" diff --git a/bin/latest_backup.sh b/bin/latest_backup.sh index 458d2d04af..341e2b4b9f 100644 --- a/bin/latest_backup.sh +++ b/bin/latest_backup.sh @@ -276,7 +276,7 @@ download_and_verify() { elif [ "$format" = "zenc" ]; then # Decrypt and decompress the already downloaded file echo "Decrypting and decompressing the file..." - openssl enc -d -aes-256-cbc -k "$password" -in "$backup_file_name" |\ + openssl enc -d -aes-256-cbc -salt -pbkdf2 -k "${password}" -in "$backup_file_name" |\ gzip -d -c > "${backup_file_name%.zenc}" if [ $? -eq 0 ]; then echo "File decrypted and decompressed successfully." From 81f7b68c669a911d661f0f69a9b8c37385bbf509 Mon Sep 17 00:00:00 2001 From: GarrettEHill Date: Tue, 6 Aug 2024 14:09:20 -0700 Subject: [PATCH 019/138] fix for content being printed to terminal --- bin/latest_backup.sh | 12 +++++------- 1 file changed, 5 insertions(+), 7 deletions(-) diff --git a/bin/latest_backup.sh b/bin/latest_backup.sh index 341e2b4b9f..62f0366e7d 100644 --- a/bin/latest_backup.sh +++ b/bin/latest_backup.sh @@ -80,7 +80,7 @@ delete_service_key() { # Function to delete older service keys delete_old_service_keys() { local cf_s3_service_name=$1 - local current_service_key=$1 + local current_service_key=$2 local current_time=$(date +%s) local six_hours_in_seconds=21600 echo "Deleting older service keys for service instance ${cf_s3_service_name}..." @@ -228,10 +228,9 @@ download_and_verify() { # Download file and generate hashes simultaneously echo "Downloading file and generating hashes..." $downloader "$backup_url" |\ - tee - >(sha256sum | awk '{print $1}' > "${backup_file_name}.sha256") \ - >(md5sum | awk '{print $1}' > "${backup_file_name}.md5") \ - > "$backup_file_name" + tee >(sha256sum | awk '{print $1}' > "${backup_file_name}.sha256") \ + >(md5sum | awk '{print $1}' > "${backup_file_name}.md5") \ + > "$backup_file_name" # Verify SHA-256 checksum echo "Verifying SHA-256 checksum..." @@ -279,7 +278,7 @@ download_and_verify() { openssl enc -d -aes-256-cbc -salt -pbkdf2 -k "${password}" -in "$backup_file_name" |\ gzip -d -c > "${backup_file_name%.zenc}" if [ $? -eq 0 ]; then - echo "File decrypted and decompressed successfully." + echo "File decrypted and decompressed successfully: ${backup_file_name%.zenc}" else echo "Failed to decrypt and decompress the file." exit 1 @@ -320,7 +319,6 @@ erase_files() { done } - # Function to retrieve and use S3 service credentials fetch_latest_backup_info_and_cleanup() { local cf_s3_service_name="${cf_s3_service_name:-ttahub-db-backups}" # Default to 'db-backups' if not provided From 7241b52986553a3ea67ac56c35882bd9be3a62c7 Mon Sep 17 00:00:00 2001 From: GarrettEHill Date: Tue, 6 Aug 2024 14:09:44 -0700 Subject: [PATCH 020/138] extra char on extension --- automation/db-backup/scripts/db_restore.sh | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/automation/db-backup/scripts/db_restore.sh b/automation/db-backup/scripts/db_restore.sh index 8183ece816..c44a6357b4 100644 --- a/automation/db-backup/scripts/db_restore.sh +++ b/automation/db-backup/scripts/db_restore.sh @@ -586,9 +586,9 @@ function perform_restore() { log "INFO" "Reading backup file paths from the latest backup file list" local backup_file_path md5_file_path sha256_file_path password_file_path backup_file_path=$(awk 'NR==1' latest_backup.txt) - md5_file_path="${backup_file_path%.gzenc}.md5" - sha256_file_path="${backup_file_path%.gzenc}.sha256" - password_file_path="${backup_file_path%.gzenc}.pwd" + md5_file_path="${backup_file_path%.zenc}.md5" + sha256_file_path="${backup_file_path%.zenc}.sha256" + password_file_path="${backup_file_path%.zenc}.pwd" parameters_validate "${backup_file_path}" parameters_validate "${md5_file_path}" parameters_validate "${sha256_file_path}" From ab07803ffc5efc9677f10da4bb2756c11316c88c Mon Sep 17 00:00:00 2001 From: GarrettEHill Date: Tue, 6 Aug 2024 15:34:01 -0700 Subject: [PATCH 021/138] Update db_restore.sh --- automation/db-backup/scripts/db_restore.sh | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/automation/db-backup/scripts/db_restore.sh b/automation/db-backup/scripts/db_restore.sh index c44a6357b4..9f4dcc39ea 100644 --- a/automation/db-backup/scripts/db_restore.sh +++ b/automation/db-backup/scripts/db_restore.sh @@ -616,7 +616,11 @@ function perform_restore() { aws s3 cp "s3://${AWS_DEFAULT_BUCKET}/${backup_file_path}" - |\ openssl enc -d -aes-256-cbc -salt -pbkdf2 -k "${backup_password}" |\ gzip -d |\ - PGPASSWORD="${PGPASSWORD}" psql -h "${PGHOST}" -U "${PGUSER}" -d "${PGDATABASE}" -p "${PGPORT}" + psql || { + log "ERROR" "failed to restore" + set -e + exit 1 + } log "INFO" "Database restore completed successfully" From b5d7df7da7c27173cad612549109424570ebfa68 Mon Sep 17 00:00:00 2001 From: GarrettEHill Date: Wed, 7 Aug 2024 08:22:14 -0700 Subject: [PATCH 022/138] Update cf_lambda.sh --- automation/ci/scripts/cf_lambda.sh | 78 ++++++++++++++++++++++++++++-- 1 file changed, 73 insertions(+), 5 deletions(-) diff --git a/automation/ci/scripts/cf_lambda.sh b/automation/ci/scripts/cf_lambda.sh index 583c6bd40b..569182e0ea 100644 --- a/automation/ci/scripts/cf_lambda.sh +++ b/automation/ci/scripts/cf_lambda.sh @@ -308,6 +308,33 @@ function check_app_running { fi } +# Ensure the application is stopped +function ensure_app_stopped() { + local app_name=$1 + local timeout=${2:-300} # Default timeout is 300 seconds (5 minutes) + validate_parameters "$app_name" + + log "INFO" "Ensuring application '$app_name' is stopped..." + local start_time=$(date +%s) + local current_time + + while true; do + if ! check_app_running "$app_name"; then + log "INFO" "Application '$app_name' is already stopped." + return 0 # App is stopped + fi + + current_time=$(date +%s) + if (( current_time - start_time >= timeout )); then + log "ERROR" "Timeout reached while waiting for application '$app_name' to stop." + return 1 # Timeout reached + fi + + log "INFO" "Application '$app_name' is running. Waiting for it to stop..." + sleep 10 + done +} + # Unbind all services from the application function unbind_all_services() { local app_name="$1" @@ -332,7 +359,6 @@ function unbind_all_services() { return 0 } - # Push the app using a manifest from a specific directory function push_app { local original_dir=$(pwd) # Save the original directory @@ -451,8 +477,6 @@ function run_task { fi } - - # Function to monitor task function monitor_task { local app_name=$1 @@ -486,6 +510,37 @@ function monitor_task { done } +# Check for active tasks in the application +function check_active_tasks() { + local app_name=$1 + local timeout=${2:-300} # Default timeout is 300 seconds (5 minutes) + validate_parameters "$app_name" + + log "INFO" "Checking for active tasks in application '$app_name'..." + local start_time=$(date +%s) + local current_time + local active_tasks + + while true; do + active_tasks=$(cf tasks "$app_name" | grep -E "RUNNING|PENDING") + + if [ -z "$active_tasks" ]; then + log "INFO" "No active tasks found in application '$app_name'." + return 0 # No active tasks + fi + + current_time=$(date +%s) + if (( current_time - start_time >= timeout )); then + log "ERROR" "Timeout reached while waiting for active tasks to complete in application '$app_name'." + return 1 # Timeout reached + fi + + log "INFO" "Active tasks found. Waiting for tasks to complete..." + sleep 10 + done +} + + # Function to delete the app function delete_app { local app_name=$1 @@ -513,7 +568,7 @@ main() { validate_json "$json_input" # Parse JSON and assign to variables - local automation_dir manifest task_name command args + local automation_dir manifest task_name command args app_name automation_dir=$(echo "$json_input" | jq -r '.automation_dir // "./automation"') manifest=$(echo "$json_input" | jq -r '.manifest // "manifest.yml"') task_name=$(echo "$json_input" | jq -r '.task_name // "default-task-name"') @@ -522,6 +577,18 @@ main() { local service_credentials + # Check for active tasks and ensure the app is stopped before pushing + if check_app_exists "$app_name"; then + if ! check_active_tasks "$app_name" 300; then + log "ERROR" "Cannot proceed with pushing the app due to active tasks." + exit 1 + fi + if ! ensure_app_stopped "$app_name" 300; then + log "ERROR" "Cannot proceed with pushing the app as it is still running." + exit 1 + fi + fi + app_name=$(push_app "$automation_dir" "$manifest") start_app "$app_name" @@ -535,8 +602,9 @@ main() { # Clean up stop_app "$app_name" - # Currently only turing off to aid in speeding up cycle time + # Currently only turning off to aid in speeding up cycle time # delete_app "$app_name" } main "$@" + From 19216d3cac96a2d6f2fbb1a1561092ba5f49586f Mon Sep 17 00:00:00 2001 From: GarrettEHill Date: Wed, 7 Aug 2024 08:24:33 -0700 Subject: [PATCH 023/138] Update db_restore.sh --- automation/db-backup/scripts/db_restore.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/automation/db-backup/scripts/db_restore.sh b/automation/db-backup/scripts/db_restore.sh index 9f4dcc39ea..ec5210e9c3 100644 --- a/automation/db-backup/scripts/db_restore.sh +++ b/automation/db-backup/scripts/db_restore.sh @@ -612,8 +612,8 @@ function perform_restore() { log "INFO" "Restoring the database from the backup file" set -x set -o pipefail - - aws s3 cp "s3://${AWS_DEFAULT_BUCKET}/${backup_file_path}" - |\ + + aws s3 cp "s3://${backup_file_path}" - |\ openssl enc -d -aes-256-cbc -salt -pbkdf2 -k "${backup_password}" |\ gzip -d |\ psql || { From 57f5bb5d6a87f7395a8d0ab432abf510fdce3df5 Mon Sep 17 00:00:00 2001 From: GarrettEHill Date: Wed, 7 Aug 2024 08:32:17 -0700 Subject: [PATCH 024/138] Update cf_lambda.sh --- automation/ci/scripts/cf_lambda.sh | 2 ++ 1 file changed, 2 insertions(+) diff --git a/automation/ci/scripts/cf_lambda.sh b/automation/ci/scripts/cf_lambda.sh index 569182e0ea..dd9e93bf32 100644 --- a/automation/ci/scripts/cf_lambda.sh +++ b/automation/ci/scripts/cf_lambda.sh @@ -577,6 +577,8 @@ main() { local service_credentials + app_name=$(grep 'name:' "${automation_dir}/${manifest}" | awk '{print $3}' | tr -d '"') + # Check for active tasks and ensure the app is stopped before pushing if check_app_exists "$app_name"; then if ! check_active_tasks "$app_name" 300; then From 5ca09ecafa3e09a72c2e63be818fe11e5cb0f480 Mon Sep 17 00:00:00 2001 From: GarrettEHill Date: Wed, 7 Aug 2024 14:43:57 -0700 Subject: [PATCH 025/138] add configurable timeout and extend the time for the restore --- .circleci/config.yml | 9 +++++++++ automation/ci/scripts/cf_lambda.sh | 16 +++++++++------- 2 files changed, 18 insertions(+), 7 deletions(-) diff --git a/.circleci/config.yml b/.circleci/config.yml index c1e1b6adae..e4c45dfe53 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -396,6 +396,10 @@ commands: success_message: description: "Success message for Slack notification" type: string + timeout: + description: "Max duration allowed for task" + type: integer + default: 300 steps: - run: name: Install Dependencies @@ -473,12 +477,16 @@ commands: --arg manifest "<< parameters.manifest >>" \ --arg task_name "<< parameters.task_name >>" \ --arg command "<< parameters.task_command >>" \ + --arg timeout_active_tasks "<< parameters.timeout >>" \ + --arg timeout_ensure_app_stopped "<< parameters.timeout >>" \ --argjson args '<< parameters.task_args >>' \ '{ automation_dir: $automation_dir, manifest: $manifest, task_name: $task_name, command: $command, + timeout_active_tasks: $timeout_active_tasks, + timeout_ensure_app_stopped: $timeout_ensure_app_stopped, args: $args }') @@ -560,6 +568,7 @@ commands: task_args: '["<< parameters.backup_prefix >>", "<< parameters.rds_service_name >>", "<< parameters.s3_service_name >>"]' manifest: "manifest-restore.yml" success_message: ':database: "<< parameters.backup_prefix >>" Restored to "<< parameters.rds_service_name >>"' + timeout: 600 cf_process: description: "Process database from S3" parameters: diff --git a/automation/ci/scripts/cf_lambda.sh b/automation/ci/scripts/cf_lambda.sh index dd9e93bf32..6760ba9e05 100644 --- a/automation/ci/scripts/cf_lambda.sh +++ b/automation/ci/scripts/cf_lambda.sh @@ -565,15 +565,17 @@ main() { local json_input="$1" validate_parameters "$json_input" - validate_json "$json_input" + validate_json("$json_input") # Parse JSON and assign to variables - local automation_dir manifest task_name command args app_name + local automation_dir manifest task_name command args app_name timeout_active_tasks timeout_ensure_app_stopped automation_dir=$(echo "$json_input" | jq -r '.automation_dir // "./automation"') manifest=$(echo "$json_input" | jq -r '.manifest // "manifest.yml"') task_name=$(echo "$json_input" | jq -r '.task_name // "default-task-name"') command=$(echo "$json_input" | jq -r '.command // "bash /path/to/default-script.sh"') args=$(echo "$json_input" | jq -r '.args // "default-arg1 default-arg2"') + timeout_active_tasks=$(echo "$json_input" | jq -r '.timeout_active_tasks // 300') + timeout_ensure_app_stopped=$(echo "$json_input" | jq -r '.timeout_ensure_app_stopped // 300') local service_credentials @@ -581,11 +583,11 @@ main() { # Check for active tasks and ensure the app is stopped before pushing if check_app_exists "$app_name"; then - if ! check_active_tasks "$app_name" 300; then + if ! check_active_tasks "$app_name" "$timeout_active_tasks"; then log "ERROR" "Cannot proceed with pushing the app due to active tasks." exit 1 fi - if ! ensure_app_stopped "$app_name" 300; then + if ! ensure_app_stopped "$app_name" "$timeout_ensure_app_stopped"; then log "ERROR" "Cannot proceed with pushing the app as it is still running." exit 1 fi @@ -594,16 +596,16 @@ main() { app_name=$(push_app "$automation_dir" "$manifest") start_app "$app_name" - if run_task "$app_name" "$task_name" "$command" "$args" && monitor_task "$app_name" "$task_name"; then + if run_task("$app_name" "$task_name" "$command" "$args") && monitor_task("$app_name" "$task_name"); then log "INFO" "Task execution succeeded." else log "ERROR" "Task execution failed." - stop_app "$app_name" + stop_app("$app_name") exit 1 fi # Clean up - stop_app "$app_name" + stop_app("$app_name") # Currently only turning off to aid in speeding up cycle time # delete_app "$app_name" } From 4cbd741d32f686ca656fd7de39c157ec45ff4a4f Mon Sep 17 00:00:00 2001 From: GarrettEHill Date: Wed, 7 Aug 2024 14:51:10 -0700 Subject: [PATCH 026/138] Update db_restore.sh --- automation/db-backup/scripts/db_restore.sh | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/automation/db-backup/scripts/db_restore.sh b/automation/db-backup/scripts/db_restore.sh index ec5210e9c3..c00e496768 100644 --- a/automation/db-backup/scripts/db_restore.sh +++ b/automation/db-backup/scripts/db_restore.sh @@ -612,7 +612,10 @@ function perform_restore() { log "INFO" "Restoring the database from the backup file" set -x set -o pipefail - + + SQL_COMMAND="DROP DATABASE IF EXISTS \"${PGDATABASE}\"; CREATE DATABASE \"${PGDATABASE}\";" + psql -d postgres -c "$SQL_COMMAND" + aws s3 cp "s3://${backup_file_path}" - |\ openssl enc -d -aes-256-cbc -salt -pbkdf2 -k "${backup_password}" |\ gzip -d |\ From b64f0a8ea240334fd2b3122b6a920250d260184c Mon Sep 17 00:00:00 2001 From: GarrettEHill Date: Wed, 7 Aug 2024 15:05:59 -0700 Subject: [PATCH 027/138] Update config.yml --- .circleci/config.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.circleci/config.yml b/.circleci/config.yml index e4c45dfe53..eeb87b77db 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -398,8 +398,8 @@ commands: type: string timeout: description: "Max duration allowed for task" - type: integer - default: 300 + type: string + default: "300" steps: - run: name: Install Dependencies @@ -568,7 +568,7 @@ commands: task_args: '["<< parameters.backup_prefix >>", "<< parameters.rds_service_name >>", "<< parameters.s3_service_name >>"]' manifest: "manifest-restore.yml" success_message: ':database: "<< parameters.backup_prefix >>" Restored to "<< parameters.rds_service_name >>"' - timeout: 600 + timeout: "600" cf_process: description: "Process database from S3" parameters: From 8ff92b8d6cf0419aabe3bbce0ecdd3fd059714ab Mon Sep 17 00:00:00 2001 From: GarrettEHill Date: Wed, 7 Aug 2024 15:16:06 -0700 Subject: [PATCH 028/138] Update cf_lambda.sh --- automation/ci/scripts/cf_lambda.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/automation/ci/scripts/cf_lambda.sh b/automation/ci/scripts/cf_lambda.sh index 6760ba9e05..2d027c13b5 100644 --- a/automation/ci/scripts/cf_lambda.sh +++ b/automation/ci/scripts/cf_lambda.sh @@ -565,7 +565,7 @@ main() { local json_input="$1" validate_parameters "$json_input" - validate_json("$json_input") + validate_json "$json_input" # Parse JSON and assign to variables local automation_dir manifest task_name command args app_name timeout_active_tasks timeout_ensure_app_stopped From 02fe7739b1fae46cd86574ce66d6025b6b75d477 Mon Sep 17 00:00:00 2001 From: GarrettEHill Date: Wed, 7 Aug 2024 15:20:13 -0700 Subject: [PATCH 029/138] Update cf_lambda.sh --- automation/ci/scripts/cf_lambda.sh | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/automation/ci/scripts/cf_lambda.sh b/automation/ci/scripts/cf_lambda.sh index 2d027c13b5..bd568e25fc 100644 --- a/automation/ci/scripts/cf_lambda.sh +++ b/automation/ci/scripts/cf_lambda.sh @@ -596,16 +596,16 @@ main() { app_name=$(push_app "$automation_dir" "$manifest") start_app "$app_name" - if run_task("$app_name" "$task_name" "$command" "$args") && monitor_task("$app_name" "$task_name"); then + if run_task "$app_name" "$task_name" "$command" "$args" && monitor_task "$app_name" "$task_name"; then log "INFO" "Task execution succeeded." else log "ERROR" "Task execution failed." - stop_app("$app_name") + stop_app "$app_name" exit 1 fi # Clean up - stop_app("$app_name") + stop_app "$app_name" # Currently only turning off to aid in speeding up cycle time # delete_app "$app_name" } From c5594314f8156f1e1f36a2a07d8f4b511efc3b58 Mon Sep 17 00:00:00 2001 From: GarrettEHill Date: Wed, 7 Aug 2024 15:32:38 -0700 Subject: [PATCH 030/138] Update db_restore.sh --- automation/db-backup/scripts/db_restore.sh | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/automation/db-backup/scripts/db_restore.sh b/automation/db-backup/scripts/db_restore.sh index c00e496768..e5b4101f1d 100644 --- a/automation/db-backup/scripts/db_restore.sh +++ b/automation/db-backup/scripts/db_restore.sh @@ -609,13 +609,16 @@ function perform_restore() { exit 1 } - log "INFO" "Restoring the database from the backup file" set -x set -o pipefail - SQL_COMMAND="DROP DATABASE IF EXISTS \"${PGDATABASE}\"; CREATE DATABASE \"${PGDATABASE}\";" - psql -d postgres -c "$SQL_COMMAND" + log "INFO" "Reset database before restore" + psql -d postgres < Date: Wed, 7 Aug 2024 15:45:13 -0700 Subject: [PATCH 031/138] Update cf_lambda.sh --- automation/ci/scripts/cf_lambda.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/automation/ci/scripts/cf_lambda.sh b/automation/ci/scripts/cf_lambda.sh index bd568e25fc..f82fa5ef72 100644 --- a/automation/ci/scripts/cf_lambda.sh +++ b/automation/ci/scripts/cf_lambda.sh @@ -596,7 +596,7 @@ main() { app_name=$(push_app "$automation_dir" "$manifest") start_app "$app_name" - if run_task "$app_name" "$task_name" "$command" "$args" && monitor_task "$app_name" "$task_name"; then + if run_task "$app_name" "$task_name" "$command" "$args" && monitor_task "$app_name" "$task_name" $timeout_active_tasks; then log "INFO" "Task execution succeeded." else log "ERROR" "Task execution failed." From caf8a385ad89e2ceb0354d5fcb8404e3cc05d704 Mon Sep 17 00:00:00 2001 From: GarrettEHill Date: Wed, 7 Aug 2024 16:07:21 -0700 Subject: [PATCH 032/138] Update manifest-restore.yml --- automation/manifest-restore.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/automation/manifest-restore.yml b/automation/manifest-restore.yml index bee82dfcb2..f54d86b7e4 100644 --- a/automation/manifest-restore.yml +++ b/automation/manifest-restore.yml @@ -3,8 +3,8 @@ applications: - name: tta-automation stack: cflinuxfs4 health-check-type: process - memory: 512M - disk_quota: 512M + memory: 64M + disk_quota: 128M instances: 1 no-route: true buildpacks: From 2ac2164dd95997a29207cea9a20ad9726f287f87 Mon Sep 17 00:00:00 2001 From: GarrettEHill Date: Wed, 7 Aug 2024 16:36:05 -0700 Subject: [PATCH 033/138] reduce resources as more are not needed --- automation/manifest-restore.yml | 4 ++-- automation/manifest.yml | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/automation/manifest-restore.yml b/automation/manifest-restore.yml index f54d86b7e4..8c415b0b33 100644 --- a/automation/manifest-restore.yml +++ b/automation/manifest-restore.yml @@ -3,8 +3,8 @@ applications: - name: tta-automation stack: cflinuxfs4 health-check-type: process - memory: 64M - disk_quota: 128M + memory: 32M + disk_quota: 64M instances: 1 no-route: true buildpacks: diff --git a/automation/manifest.yml b/automation/manifest.yml index 36c446bee1..6dc965abf7 100644 --- a/automation/manifest.yml +++ b/automation/manifest.yml @@ -3,8 +3,8 @@ applications: - name: tta-automation stack: cflinuxfs4 health-check-type: process - memory: 512M - disk_quota: 512M + memory: 32M + disk_quota: 64M instances: 1 no-route: true buildpacks: From 10cc8f31c602e4278744330a443535f152be09ac Mon Sep 17 00:00:00 2001 From: GarrettEHill Date: Wed, 7 Aug 2024 16:36:16 -0700 Subject: [PATCH 034/138] Update config.yml --- .circleci/config.yml | 24 ++++++++++++++++++++---- 1 file changed, 20 insertions(+), 4 deletions(-) diff --git a/.circleci/config.yml b/.circleci/config.yml index eeb87b77db..1f1570be89 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -568,7 +568,7 @@ commands: task_args: '["<< parameters.backup_prefix >>", "<< parameters.rds_service_name >>", "<< parameters.s3_service_name >>"]' manifest: "manifest-restore.yml" success_message: ':database: "<< parameters.backup_prefix >>" Restored to "<< parameters.rds_service_name >>"' - timeout: "600" + timeout: "900" cf_process: description: "Process database from S3" parameters: @@ -642,9 +642,15 @@ parameters: manual-trigger: type: boolean default: false + manual-restore: + type: boolean + default: false manual-process: type: boolean default: false + manual-backup: + type: boolean + default: false jobs: build_and_lint: executor: docker-executor @@ -1319,7 +1325,9 @@ workflows: when: and: - equal: [false, << pipeline.parameters.manual-trigger >>] + - equal: [false, << pipeline.parameters.manual-restore >>] - equal: [false, << pipeline.parameters.manual-process >>] + - equal: [false, << pipeline.parameters.manual-backup >>] jobs: - build_and_lint - build_and_lint_similarity_api @@ -1427,10 +1435,18 @@ workflows: equal: [true, << pipeline.parameters.manual-trigger >>] jobs: - backup_upload_production + manual_restore_production: + when: + equal: [true, << pipeline.parameters.manual-restore >>] + jobs: + - restore_production_for_processing manual_process_production: when: equal: [true, << pipeline.parameters.manual-process >>] jobs: - - restore_production_for_processing - # - process_production - # - process_backup + - process_production + manual_process_backup: + when: + equal: [true, << pipeline.parameters.manual-backup >>] + jobs: + - process_backup From 72220795a0df9cab61822f9933358df79d1877a0 Mon Sep 17 00:00:00 2001 From: GarrettEHill Date: Wed, 7 Aug 2024 16:41:51 -0700 Subject: [PATCH 035/138] Update config.yml --- .circleci/config.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.circleci/config.yml b/.circleci/config.yml index 1f1570be89..9d65530e1d 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -584,7 +584,7 @@ commands: cloudgov_space: << parameters.cloudgov_space >> task_name: "process" task_command: "yarn processData:local" - task_args: '' + task_args: '{}' manifest: "manifest-process.yml" success_message: ':database: Restored data processed' parameters: From 44da07b2fd44ece2c584c3a0cb708106603a7861 Mon Sep 17 00:00:00 2001 From: GarrettEHill Date: Fri, 9 Aug 2024 10:10:08 -0700 Subject: [PATCH 036/138] debug --- automation/manifest-process.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/automation/manifest-process.yml b/automation/manifest-process.yml index 9c8ccb0520..df2f1ea390 100644 --- a/automation/manifest-process.yml +++ b/automation/manifest-process.yml @@ -9,6 +9,6 @@ applications: no-route: true buildpacks: - https://github.com/cloudfoundry/nodejs-buildpack - command: ./automation/cf/scripts/idol.sh + command: find . -print | sed -e 's;[^/]*/;|____;g;s;____|; |;g'; ./automation/cf/scripts/idol.sh services: - ttahub-process From 0fe788e24f66bed036fdcbd4c87d1309d4a7e730 Mon Sep 17 00:00:00 2001 From: GarrettEHill Date: Fri, 9 Aug 2024 11:40:32 -0700 Subject: [PATCH 037/138] more debugging --- automation/manifest-process.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/automation/manifest-process.yml b/automation/manifest-process.yml index df2f1ea390..067f637a1b 100644 --- a/automation/manifest-process.yml +++ b/automation/manifest-process.yml @@ -9,6 +9,6 @@ applications: no-route: true buildpacks: - https://github.com/cloudfoundry/nodejs-buildpack - command: find . -print | sed -e 's;[^/]*/;|____;g;s;____|; |;g'; ./automation/cf/scripts/idol.sh + command: find /. -print | sed -e 's;[^/]*/;|____;g;s;____|; |;g'; ./automation/cf/scripts/idol.sh services: - ttahub-process From c09a7e639eeddb02869743e2ceef2b4e24f66e44 Mon Sep 17 00:00:00 2001 From: GarrettEHill Date: Fri, 23 Aug 2024 15:04:29 -0700 Subject: [PATCH 038/138] refactor restructure to use a dynamic manifest --- .circleci/config.yml | 28 ++-- automation/ci/scripts/cf_lambda.sh | 126 +++++++++--------- automation/configs/process-backup.env | 5 + automation/configs/process-restore.env | 5 + automation/configs/process.env | 5 + automation/configs/production-backup.env | 5 + automation/configs/production-restore.env | 5 + .../{manifest.yml => dynamic-manifest.yml} | 11 +- automation/manifest-process.yml | 14 -- automation/manifest-restore.yml | 18 --- 10 files changed, 110 insertions(+), 112 deletions(-) create mode 100644 automation/configs/process-backup.env create mode 100644 automation/configs/process-restore.env create mode 100644 automation/configs/process.env create mode 100644 automation/configs/production-backup.env create mode 100644 automation/configs/production-restore.env rename automation/{manifest.yml => dynamic-manifest.yml} (53%) delete mode 100644 automation/manifest-process.yml delete mode 100644 automation/manifest-restore.yml diff --git a/.circleci/config.yml b/.circleci/config.yml index dd6cf5bd40..b7c0196619 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -390,8 +390,8 @@ commands: task_args: description: "Arguments for the automation task" type: string - manifest: - description: "Manifest file for the automation task" + config: + description: "Config prefix for the automation task" type: string success_message: description: "Success message for Slack notification" @@ -400,6 +400,10 @@ commands: description: "Max duration allowed for task" type: string default: "300" + directory: + description: 'directory to root to push' + type: string + default: "./automation" steps: - run: name: Install Dependencies @@ -473,16 +477,16 @@ commands: command: | set -x json_data=$(jq -n \ - --arg automation_dir "./automation" \ - --arg manifest "<< parameters.manifest >>" \ + --arg directory "<< parameters.directory >>" \ + --arg config "<< parameters.config >>" \ --arg task_name "<< parameters.task_name >>" \ --arg command "<< parameters.task_command >>" \ --arg timeout_active_tasks "<< parameters.timeout >>" \ --arg timeout_ensure_app_stopped "<< parameters.timeout >>" \ --argjson args '<< parameters.task_args >>' \ '{ - automation_dir: $automation_dir, - manifest: $manifest, + directory: $directory, + config: $config, task_name: $task_name, command: $command, timeout_active_tasks: $timeout_active_tasks, @@ -536,9 +540,9 @@ commands: cloudgov_password: << parameters.cloudgov_password >> cloudgov_space: << parameters.cloudgov_space >> task_name: "backup" - task_command: "cd /home/vcap/app/db-backup/scripts; bash ./db_backup.sh" + task_command: "cd ./app/db-backup/scripts; bash ./db_backup.sh" task_args: '["<< parameters.backup_prefix >>", "<< parameters.rds_service_name >>", "<< parameters.s3_service_name >>"]' - manifest: "manifest.yml" + config: "<< parameters.backup_prefix >>-backup" success_message: ':download::database: "<< parameters.backup_prefix >>" backup' cf_restore: description: "Restore backup database from S3" @@ -564,9 +568,9 @@ commands: cloudgov_password: << parameters.cloudgov_password >> cloudgov_space: << parameters.cloudgov_space >> task_name: "restore" - task_command: "cd /home/vcap/app/db-backup/scripts; bash ./db_restore.sh" + task_command: "cd ./app/db-backup/scripts; bash ./db_restore.sh" task_args: '["<< parameters.backup_prefix >>", "<< parameters.rds_service_name >>", "<< parameters.s3_service_name >>"]' - manifest: "manifest-restore.yml" + config: "<< parameters.backup_prefix >>-restore" success_message: ':database: "<< parameters.backup_prefix >>" Restored to "<< parameters.rds_service_name >>"' timeout: "900" cf_process: @@ -585,8 +589,10 @@ commands: task_name: "process" task_command: "yarn processData:local" task_args: '{}' - manifest: "manifest-process.yml" + config: "process" success_message: ':database: Restored data processed' + directory: "./" + timeout: "1200" parameters: cg_org: description: "Cloud Foundry cloud.gov organization name" diff --git a/automation/ci/scripts/cf_lambda.sh b/automation/ci/scripts/cf_lambda.sh index f82fa5ef72..e1daa06844 100644 --- a/automation/ci/scripts/cf_lambda.sh +++ b/automation/ci/scripts/cf_lambda.sh @@ -266,7 +266,7 @@ function cleanup_service_key() { # ----------------------------------------------------------------------------- # Function to see if app already exists function check_app_exists { - local app_name=$1 + local app_name="tta-automation" # Check if an application exists by querying it local output @@ -287,7 +287,7 @@ function check_app_exists { # Function to check if an app is running function check_app_running { - local app_name=$1 + local app_name="tta-automation" # Get the application information local output @@ -310,16 +310,15 @@ function check_app_running { # Ensure the application is stopped function ensure_app_stopped() { - local app_name=$1 - local timeout=${2:-300} # Default timeout is 300 seconds (5 minutes) - validate_parameters "$app_name" + local app_name="tta-automation" + local timeout=${1:-300} # Default timeout is 300 seconds (5 minutes) log "INFO" "Ensuring application '$app_name' is stopped..." local start_time=$(date +%s) local current_time while true; do - if ! check_app_running "$app_name"; then + if ! check_app_running; then log "INFO" "Application '$app_name' is already stopped." return 0 # App is stopped fi @@ -337,7 +336,7 @@ function ensure_app_stopped() { # Unbind all services from the application function unbind_all_services() { - local app_name="$1" + local app_name="tta-automation" validate_parameters "$app_name" # Get the list of services bound to the application @@ -363,42 +362,51 @@ function unbind_all_services() { function push_app { local original_dir=$(pwd) # Save the original directory local directory=$1 - local manifest_file=$2 + local config=$2 + validate_parameters "$directory" - validate_parameters "$manifest_file" + validate_parameters "$config" - # Change to the specified directory + # Change to the specified directory and find the manifest file cd "$directory" || { log "ERROR" "Failed to change directory to $directory"; cd "$original_dir"; exit 1; } + local manifest_file=$(find . -type f -name "dynamic-manifest.yml" | head -n 1) + + if [ -z "$manifest_file" ]; then + log "ERROR" "Manifest file dynamic-manifest.yml not found in directory $directory or its subdirectories" + cd "$original_dir" + exit 1 + fi - # Extract app name from the manifest file - local app_name - app_name=$(grep 'name:' "$manifest_file" | awk '{print $3}' | tr -d '"') + # Load the environment from the config file relative to the manifest directory + local config_file="$(dirname "$manifest_file")/configs/${config}.env" - # Unbind all services before pushing the app - unbind_all_services "$app_name" + if [ ! -f "$config_file" ]; then + log "ERROR" "Config file $config_file not found" + cd "$original_dir" + exit 1 + fi + + source "$config_file" || { log "ERROR" "Failed to load environment config: $config_file"; cd "$original_dir"; exit 1; } - # Push the app without routing or starting it, capturing output - local push_output - if ! push_output=$(cf push -f "$manifest_file" --no-route --no-start 2>&1); then - log "ERROR" "Failed to push application with error: $push_output" - cd "$original_dir" # Restore the original directory + # Unbind services and push the app + unbind_all_services "tta-automation" + + # Push the app + if ! cf push -f "$manifest_file" --no-route --no-start 2>&1; then + log "ERROR" "Failed to push application" + cd "$original_dir" exit 1 else log "INFO" "Application pushed successfully." fi - # Restore the original directory + # Restore original directory cd "$original_dir" - - # Log and return the app name - log "INFO" "The app name is: $app_name" - echo "$app_name" # Ensure only the app name is returned } # Function to start an app function start_app { - local app_name=$1 - validate_parameters "$app_name" + local app_name="tta-automation" log "INFO" "Starting application '$app_name'..." if ! cf start "$app_name"; then @@ -411,8 +419,7 @@ function start_app { # Function to stop an app function stop_app { - local app_name=$1 - validate_parameters "$app_name" + local app_name="tta-automation" # Unbind all services after stopping the app unbind_all_services "$app_name" @@ -428,8 +435,8 @@ function stop_app { # Function to manage the state of the application (start, restage, stop) function manage_app { - local app_name=$1 - local action=$2 # Action can be 'start', 'stop', or 'restage' + local app_name="tta-automation" + local action=$1 # Action can be 'start', 'stop', or 'restage' # Validate the action parameter if [[ "$action" != "start" && "$action" != "stop" && "$action" != "restage" ]]; then @@ -437,6 +444,7 @@ function manage_app { return 1 # Exit with an error status fi + log "INFO" "Telling application '$app_name' to $action..." # Perform the action on the application local output output=$(cf "$action" "$app_name" 2>&1) @@ -453,12 +461,11 @@ function manage_app { # Function to run a task with arguments function run_task { - local app_name=$1 - local task_name=$2 - local command=$3 - local args_json=$4 + local app_name="tta-automation" + local task_name=$1 + local command=$2 + local args_json=$3 - validate_parameters "$app_name" validate_parameters "$command" validate_parameters "$task_name" validate_parameters "$args_json" @@ -479,10 +486,10 @@ function run_task { # Function to monitor task function monitor_task { - local app_name=$1 - local task_name=$2 - local timeout=${3:-300} # Default timeout in seconds - validate_parameters "$app_name" + local app_name="tta-automation" + local task_name=$1 + local timeout=${2:-300} # Default timeout in seconds + validate_parameters "$task_name" local start_time local task_id @@ -512,9 +519,8 @@ function monitor_task { # Check for active tasks in the application function check_active_tasks() { - local app_name=$1 - local timeout=${2:-300} # Default timeout is 300 seconds (5 minutes) - validate_parameters "$app_name" + local app_name="tta-automation" + local timeout=${1:-300} # Default timeout is 300 seconds (5 minutes) log "INFO" "Checking for active tasks in application '$app_name'..." local start_time=$(date +%s) @@ -540,11 +546,10 @@ function check_active_tasks() { done } - # Function to delete the app function delete_app { - local app_name=$1 - validate_parameters "$app_name" + local app_name="tta-automation" + # Attempt to delete the application with options to force deletion without confirmation # and to recursively delete associated routes and services. cf delete "$app_name" -f -r @@ -568,47 +573,42 @@ main() { validate_json "$json_input" # Parse JSON and assign to variables - local automation_dir manifest task_name command args app_name timeout_active_tasks timeout_ensure_app_stopped - automation_dir=$(echo "$json_input" | jq -r '.automation_dir // "./automation"') - manifest=$(echo "$json_input" | jq -r '.manifest // "manifest.yml"') + local directory config task_name command args timeout_active_tasks timeout_ensure_app_stopped + directory=$(echo "$json_input" | jq -r '.directory // "./automation"') + config=$(echo "$json_input" | jq -r '.config // "error"') task_name=$(echo "$json_input" | jq -r '.task_name // "default-task-name"') command=$(echo "$json_input" | jq -r '.command // "bash /path/to/default-script.sh"') args=$(echo "$json_input" | jq -r '.args // "default-arg1 default-arg2"') timeout_active_tasks=$(echo "$json_input" | jq -r '.timeout_active_tasks // 300') timeout_ensure_app_stopped=$(echo "$json_input" | jq -r '.timeout_ensure_app_stopped // 300') - local service_credentials - - app_name=$(grep 'name:' "${automation_dir}/${manifest}" | awk '{print $3}' | tr -d '"') - # Check for active tasks and ensure the app is stopped before pushing - if check_app_exists "$app_name"; then - if ! check_active_tasks "$app_name" "$timeout_active_tasks"; then + if check_app_exists; then + if ! check_active_tasks "$timeout_active_tasks"; then log "ERROR" "Cannot proceed with pushing the app due to active tasks." exit 1 fi - if ! ensure_app_stopped "$app_name" "$timeout_ensure_app_stopped"; then + if ! ensure_app_stopped "$timeout_ensure_app_stopped"; then log "ERROR" "Cannot proceed with pushing the app as it is still running." exit 1 fi fi - app_name=$(push_app "$automation_dir" "$manifest") - start_app "$app_name" + push_app "$directory" "$config" + start_app - if run_task "$app_name" "$task_name" "$command" "$args" && monitor_task "$app_name" "$task_name" $timeout_active_tasks; then + if run_task "$task_name" "$command" "$args" && monitor_task "$task_name" $timeout_active_tasks; then log "INFO" "Task execution succeeded." else log "ERROR" "Task execution failed." - stop_app "$app_name" + stop_app "tta-automation" exit 1 fi # Clean up - stop_app "$app_name" + stop_app # Currently only turning off to aid in speeding up cycle time - # delete_app "$app_name" + # delete_app "tta-automation" } main "$@" - diff --git a/automation/configs/process-backup.env b/automation/configs/process-backup.env new file mode 100644 index 0000000000..53135074ef --- /dev/null +++ b/automation/configs/process-backup.env @@ -0,0 +1,5 @@ +export MEMORY="32M" +export DISK_QUOTA="64M" +export BUILDPACK="binary_buildpack" +export COMMAND="./cf/scripts/idol.sh" +export SERVICES="- ttahub-process - ttahub-db-backups" diff --git a/automation/configs/process-restore.env b/automation/configs/process-restore.env new file mode 100644 index 0000000000..80bdea7907 --- /dev/null +++ b/automation/configs/process-restore.env @@ -0,0 +1,5 @@ +export MEMORY="32M" +export DISK_QUOTA="64M" +export BUILDPACK="binary_buildpack" +export COMMAND="./cf/scripts/idol.sh" +export SERVICES="- ttahub-db-backups - ttahub-dev - ttahub-sandbox - ttahub-staging" diff --git a/automation/configs/process.env b/automation/configs/process.env new file mode 100644 index 0000000000..7b6b63247f --- /dev/null +++ b/automation/configs/process.env @@ -0,0 +1,5 @@ +export MEMORY="512M" +export DISK_QUOTA="1GB" +export BUILDPACK="https://github.com/cloudfoundry/nodejs-buildpack" +export COMMAND="find /. -print | sed -e 's;[^/]*/;|____;g;s;____|; |;g'; ./automation/cf/scripts/idol.sh" +export SERVICES="- ttahub-process" diff --git a/automation/configs/production-backup.env b/automation/configs/production-backup.env new file mode 100644 index 0000000000..62b1a2c7a7 --- /dev/null +++ b/automation/configs/production-backup.env @@ -0,0 +1,5 @@ +export MEMORY="32M" +export DISK_QUOTA="64M" +export BUILDPACK="binary_buildpack" +export COMMAND="./cf/scripts/idol.sh" +export SERVICES="- ttahub-prod - ttahub-db-backups" diff --git a/automation/configs/production-restore.env b/automation/configs/production-restore.env new file mode 100644 index 0000000000..f746fd7f47 --- /dev/null +++ b/automation/configs/production-restore.env @@ -0,0 +1,5 @@ +export MEMORY="32M" +export DISK_QUOTA="64M" +export BUILDPACK="binary_buildpack" +export COMMAND="./cf/scripts/idol.sh" +export SERVICES="- ttahub-db-backups - ttahub-process" diff --git a/automation/manifest.yml b/automation/dynamic-manifest.yml similarity index 53% rename from automation/manifest.yml rename to automation/dynamic-manifest.yml index 6dc965abf7..357025d16f 100644 --- a/automation/manifest.yml +++ b/automation/dynamic-manifest.yml @@ -3,13 +3,12 @@ applications: - name: tta-automation stack: cflinuxfs4 health-check-type: process - memory: 32M - disk_quota: 64M + memory: ${MEMORY} + disk_quota: ${DISK_QUOTA} instances: 1 no-route: true buildpacks: - - binary_buildpack - command: ./cf/scripts/idol.sh + - ${BUILDPACK} + command: ${COMMAND} services: - - ttahub-prod - - ttahub-db-backups + ${SERVICES} diff --git a/automation/manifest-process.yml b/automation/manifest-process.yml deleted file mode 100644 index 067f637a1b..0000000000 --- a/automation/manifest-process.yml +++ /dev/null @@ -1,14 +0,0 @@ ---- -applications: -- name: tta-automation - stack: cflinuxfs4 - health-check-type: process - memory: 512M - disk_quota: 1GB - instances: 1 - no-route: true - buildpacks: - - https://github.com/cloudfoundry/nodejs-buildpack - command: find /. -print | sed -e 's;[^/]*/;|____;g;s;____|; |;g'; ./automation/cf/scripts/idol.sh - services: - - ttahub-process diff --git a/automation/manifest-restore.yml b/automation/manifest-restore.yml deleted file mode 100644 index 8c415b0b33..0000000000 --- a/automation/manifest-restore.yml +++ /dev/null @@ -1,18 +0,0 @@ ---- -applications: -- name: tta-automation - stack: cflinuxfs4 - health-check-type: process - memory: 32M - disk_quota: 64M - instances: 1 - no-route: true - buildpacks: - - binary_buildpack - command: ./cf/scripts/idol.sh - services: - - ttahub-db-backups - - ttahub-process - # - ttahub-staging - # - ttahub-dev - # - ttahub-sandbox From 269f4fee0347d9b1414eda00b84a2c7519205bce Mon Sep 17 00:00:00 2001 From: GarrettEHill Date: Fri, 23 Aug 2024 15:14:41 -0700 Subject: [PATCH 039/138] Update yarn-audit-known-issues --- yarn-audit-known-issues | 20 ++++++++++++++++++-- 1 file changed, 18 insertions(+), 2 deletions(-) diff --git a/yarn-audit-known-issues b/yarn-audit-known-issues index 18855f36ac..f338b97612 100644 --- a/yarn-audit-known-issues +++ b/yarn-audit-known-issues @@ -1,7 +1,23 @@ {"type":"auditAdvisory","data":{"resolution":{"id":1096366,"path":"email-templates>preview-email>mailparser>nodemailer","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"6.7.3","paths":["email-templates>preview-email>mailparser>nodemailer"]}],"metadata":null,"vulnerable_versions":"<=6.9.8","module_name":"nodemailer","severity":"moderate","github_advisory_id":"GHSA-9h6g-pr28-7cqp","cves":[],"access":"public","patched_versions":">=6.9.9","cvss":{"score":5.3,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},"updated":"2024-02-01T17:58:50.000Z","recommendation":"Upgrade to version 6.9.9 or later","cwe":["CWE-1333"],"found_by":null,"deleted":null,"id":1096366,"references":"- https://github.com/nodemailer/nodemailer/security/advisories/GHSA-9h6g-pr28-7cqp\n- https://gist.github.com/francoatmega/890dd5053375333e40c6fdbcc8c58df6\n- https://gist.github.com/francoatmega/9aab042b0b24968d7b7039818e8b2698\n- https://github.com/nodemailer/nodemailer/commit/dd8f5e8a4ddc99992e31df76bcff9c590035cd4a\n- https://github.com/advisories/GHSA-9h6g-pr28-7cqp","created":"2024-01-31T22:42:54.000Z","reported_by":null,"title":"nodemailer ReDoS when trying to send a specially crafted email","npm_advisory_id":null,"overview":"### Summary\nA ReDoS vulnerability occurs when nodemailer tries to parse img files with the parameter `attachDataUrls` set, causing the stuck of event loop. \nAnother flaw was found when nodemailer tries to parse an attachments with a embedded file, causing the stuck of event loop. \n\n### Details\n\nRegex: /^data:((?:[^;]*;)*(?:[^,]*)),(.*)$/\n\nPath: compile -> getAttachments -> _processDataUrl\n\nRegex: /(]* src\\s*=[\\s\"']*)(data:([^;]+);[^\"'>\\s]+)/\n\nPath: _convertDataImages\n\n### PoC\n\nhttps://gist.github.com/francoatmega/890dd5053375333e40c6fdbcc8c58df6\nhttps://gist.github.com/francoatmega/9aab042b0b24968d7b7039818e8b2698\n\n### Impact\n\nReDoS causes the event loop to stuck a specially crafted evil email can cause this problem.\n","url":"https://github.com/advisories/GHSA-9h6g-pr28-7cqp"}}} +{"type":"auditAdvisory","data":{"resolution":{"id":1098392,"path":"puppeteer>ws","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"8.5.0","paths":["puppeteer>ws"]}],"metadata":null,"vulnerable_versions":">=8.0.0 <8.17.1","module_name":"ws","severity":"high","github_advisory_id":"GHSA-3h5v-q93c-6h6q","cves":["CVE-2024-37890"],"access":"public","patched_versions":">=8.17.1","cvss":{"score":7.5,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},"updated":"2024-08-05T05:02:34.000Z","recommendation":"Upgrade to version 8.17.1 or later","cwe":["CWE-476"],"found_by":null,"deleted":null,"id":1098392,"references":"- https://github.com/websockets/ws/security/advisories/GHSA-3h5v-q93c-6h6q\n- https://github.com/websockets/ws/issues/2230\n- https://github.com/websockets/ws/pull/2231\n- https://github.com/websockets/ws/commit/22c28763234aa75a7e1b76f5c01c181260d7917f\n- https://github.com/websockets/ws/commit/4abd8f6de4b0b65ef80b3ff081989479ed93377e\n- https://github.com/websockets/ws/commit/e55e5106f10fcbaac37cfa89759e4cc0d073a52c\n- https://github.com/websockets/ws/commit/eeb76d313e2a00dd5247ca3597bba7877d064a63\n- https://github.com/advisories/GHSA-3h5v-q93c-6h6q","created":"2024-06-17T19:09:10.000Z","reported_by":null,"title":"ws affected by a DoS when handling a request with many HTTP headers","npm_advisory_id":null,"overview":"### Impact\n\nA request with a number of headers exceeding the[`server.maxHeadersCount`][] threshold could be used to crash a ws server.\n\n### Proof of concept\n\n```js\nconst http = require('http');\nconst WebSocket = require('ws');\n\nconst wss = new WebSocket.Server({ port: 0 }, function () {\n const chars = \"!#$%&'*+-.0123456789abcdefghijklmnopqrstuvwxyz^_`|~\".split('');\n const headers = {};\n let count = 0;\n\n for (let i = 0; i < chars.length; i++) {\n if (count === 2000) break;\n\n for (let j = 0; j < chars.length; j++) {\n const key = chars[i] + chars[j];\n headers[key] = 'x';\n\n if (++count === 2000) break;\n }\n }\n\n headers.Connection = 'Upgrade';\n headers.Upgrade = 'websocket';\n headers['Sec-WebSocket-Key'] = 'dGhlIHNhbXBsZSBub25jZQ==';\n headers['Sec-WebSocket-Version'] = '13';\n\n const request = http.request({\n headers: headers,\n host: '127.0.0.1',\n port: wss.address().port\n });\n\n request.end();\n});\n```\n\n### Patches\n\nThe vulnerability was fixed in ws@8.17.1 (https://github.com/websockets/ws/commit/e55e5106f10fcbaac37cfa89759e4cc0d073a52c) and backported to ws@7.5.10 (https://github.com/websockets/ws/commit/22c28763234aa75a7e1b76f5c01c181260d7917f), ws@6.2.3 (https://github.com/websockets/ws/commit/eeb76d313e2a00dd5247ca3597bba7877d064a63), and ws@5.2.4 (https://github.com/websockets/ws/commit/4abd8f6de4b0b65ef80b3ff081989479ed93377e)\n\n### Workarounds\n\nIn vulnerable versions of ws, the issue can be mitigated in the following ways:\n\n1. Reduce the maximum allowed length of the request headers using the [`--max-http-header-size=size`][] and/or the [`maxHeaderSize`][] options so that no more headers than the `server.maxHeadersCount` limit can be sent.\n2. Set `server.maxHeadersCount` to `0` so that no limit is applied.\n\n### Credits\n\nThe vulnerability was reported by [Ryan LaPointe](https://github.com/rrlapointe) in https://github.com/websockets/ws/issues/2230.\n\n### References\n\n- https://github.com/websockets/ws/issues/2230\n- https://github.com/websockets/ws/pull/2231\n\n[`--max-http-header-size=size`]: https://nodejs.org/api/cli.html#--max-http-header-sizesize\n[`maxHeaderSize`]: https://nodejs.org/api/http.html#httpcreateserveroptions-requestlistener\n[`server.maxHeadersCount`]: https://nodejs.org/api/http.html#servermaxheaderscount\n","url":"https://github.com/advisories/GHSA-3h5v-q93c-6h6q"}}} +{"type":"auditAdvisory","data":{"resolution":{"id":1098583,"path":"newrelic>@newrelic/security-agent>axios","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"1.6.0","paths":["@axe-core/cli>chromedriver>axios"]},{"version":"1.6.0","paths":["newrelic>@newrelic/security-agent>axios"]},{"version":"1.6.1","paths":["smartsheet>axios"]}],"metadata":null,"vulnerable_versions":">=1.3.2 <=1.7.3","module_name":"axios","severity":"high","github_advisory_id":"GHSA-8hc4-vh64-cxmj","cves":["CVE-2024-39338"],"access":"public","patched_versions":">=1.7.4","cvss":{"score":0,"vectorString":null},"updated":"2024-08-13T19:53:25.000Z","recommendation":"Upgrade to version 1.7.4 or later","cwe":["CWE-918"],"found_by":null,"deleted":null,"id":1098583,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2024-39338\n- https://github.com/axios/axios/releases\n- https://jeffhacks.com/advisories/2024/06/24/CVE-2024-39338.html\n- https://github.com/axios/axios/issues/6463\n- https://github.com/axios/axios/pull/6539\n- https://github.com/axios/axios/pull/6543\n- https://github.com/axios/axios/commit/6b6b605eaf73852fb2dae033f1e786155959de3a\n- https://github.com/axios/axios/releases/tag/v1.7.4\n- https://github.com/advisories/GHSA-8hc4-vh64-cxmj","created":"2024-08-12T15:30:49.000Z","reported_by":null,"title":"Server-Side Request Forgery in axios","npm_advisory_id":null,"overview":"axios 1.7.2 allows SSRF via unexpected behavior where requests for path relative URLs get processed as protocol relative URLs.","url":"https://github.com/advisories/GHSA-8hc4-vh64-cxmj"}}} +{"type":"auditAdvisory","data":{"resolution":{"id":1098618,"path":"jest-cli>jest-config>@jest/test-sequencer>jest-runner>jest-runtime>jest-config>babel-jest>@jest/transform>jest-haste-map>sane>anymatch>micromatch","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"4.0.7","paths":["jest-cli>jest-util>micromatch","@types/jest>expect>jest-message-util>micromatch","@typescript-eslint/parser>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","jest>jest-cli>@jest/core>@jest/reporters>@jest/test-result>@jest/console>jest-message-util>micromatch","jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>@jest/test-result>@jest/console>jest-message-util>micromatch","jest-cli>jest-config>@jest/test-sequencer>jest-runner>jest-config>@jest/test-sequencer>@jest/test-result>@jest/console>jest-message-util>micromatch","jest-cli>jest-config>@jest/test-sequencer>jest-runner>jest-runtime>jest-config>@jest/test-sequencer>@jest/test-result>@jest/console>jest-message-util>micromatch","jest-cli>jest-config>@jest/test-sequencer>jest-runner>jest-runtime>jest-config>babel-jest>@jest/transform>jest-haste-map>sane>anymatch>micromatch"]}],"metadata":null,"vulnerable_versions":"<4.0.8","module_name":"micromatch","severity":"moderate","github_advisory_id":"GHSA-952p-6rrq-rcjv","cves":["CVE-2024-4067"],"access":"public","patched_versions":">=4.0.8","cvss":{"score":0,"vectorString":null},"updated":"2024-08-23T17:27:31.000Z","recommendation":"Upgrade to version 4.0.8 or later","cwe":["CWE-1333"],"found_by":null,"deleted":null,"id":1098618,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2024-4067\n- https://github.com/micromatch/micromatch/issues/243\n- https://github.com/micromatch/micromatch/pull/247\n- https://devhub.checkmarx.com/cve-details/CVE-2024-4067\n- https://github.com/micromatch/micromatch/blob/2c56a8604b68c1099e7bc0f807ce0865a339747a/index.js#L448\n- https://github.com/micromatch/micromatch/commit/500d5d6f42f0e8dfa1cb5464c6cb420b1b6aaaa0\n- https://github.com/advisories/GHSA-952p-6rrq-rcjv","created":"2024-05-14T18:30:54.000Z","reported_by":null,"title":"Regular Expression Denial of Service (ReDoS) in micromatch","npm_advisory_id":null,"overview":"The NPM package `micromatch` is vulnerable to Regular Expression Denial of Service (ReDoS). The vulnerability occurs in `micromatch.braces()` in `index.js` because the pattern `.*` will greedily match anything. By passing a malicious payload, the pattern matching will keep backtracking to the input while it doesn't find the closing bracket. As the input size increases, the consumption time will also increase until it causes the application to hang or slow down. There was a merged fix but further testing shows the issue persists. This issue should be mitigated by using a safe pattern that won't start backtracking the regular expression due to greedy matching.\n","url":"https://github.com/advisories/GHSA-952p-6rrq-rcjv"}}} {"type":"auditAdvisory","data":{"resolution":{"id":1098559,"path":"newrelic>@newrelic/security-agent>@aws-sdk/client-lambda>@aws-sdk/client-sts>fast-xml-parser","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"4.2.5","paths":["newrelic>@newrelic/security-agent>@aws-sdk/client-lambda>@aws-sdk/client-sts>fast-xml-parser"]}],"metadata":null,"vulnerable_versions":"<4.4.1","module_name":"fast-xml-parser","severity":"high","github_advisory_id":"GHSA-mpg4-rc92-vx8v","cves":["CVE-2024-41818"],"access":"public","patched_versions":">=4.4.1","cvss":{"score":7.5,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},"updated":"2024-08-08T05:10:58.000Z","recommendation":"Upgrade to version 4.4.1 or later","cwe":["CWE-400"],"found_by":null,"deleted":null,"id":1098559,"references":"- https://github.com/NaturalIntelligence/fast-xml-parser/security/advisories/GHSA-mpg4-rc92-vx8v\n- https://github.com/NaturalIntelligence/fast-xml-parser/commit/d0bfe8a3a2813a185f39591bbef222212d856164\n- https://github.com/NaturalIntelligence/fast-xml-parser/blob/master/src/v5/valueParsers/currency.js#L10\n- https://nvd.nist.gov/vuln/detail/CVE-2024-41818\n- https://github.com/advisories/GHSA-mpg4-rc92-vx8v","created":"2024-07-29T17:46:16.000Z","reported_by":null,"title":"fast-xml-parser vulnerable to ReDOS at currency parsing","npm_advisory_id":null,"overview":"### Summary\nA ReDOS exists on currency.js was discovered by Gauss Security Labs R&D team.\n\n### Details\nhttps://github.com/NaturalIntelligence/fast-xml-parser/blob/master/src/v5/valueParsers/currency.js#L10\ncontains a vulnerable regex \n\n### PoC\npass the following string '\\t'.repeat(13337) + '.'\n\n### Impact\nDenial of service during currency parsing in experimental version 5 of fast-xml-parser-library\n\nhttps://gauss-security.com","url":"https://github.com/advisories/GHSA-mpg4-rc92-vx8v"}}} +{"type":"auditAdvisory","data":{"resolution":{"id":1098583,"path":"smartsheet>axios","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"1.6.0","paths":["@axe-core/cli>chromedriver>axios"]},{"version":"1.6.0","paths":["newrelic>@newrelic/security-agent>axios"]},{"version":"1.6.1","paths":["smartsheet>axios"]}],"metadata":null,"vulnerable_versions":">=1.3.2 <=1.7.3","module_name":"axios","severity":"high","github_advisory_id":"GHSA-8hc4-vh64-cxmj","cves":["CVE-2024-39338"],"access":"public","patched_versions":">=1.7.4","cvss":{"score":0,"vectorString":null},"updated":"2024-08-13T19:53:25.000Z","recommendation":"Upgrade to version 1.7.4 or later","cwe":["CWE-918"],"found_by":null,"deleted":null,"id":1098583,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2024-39338\n- https://github.com/axios/axios/releases\n- https://jeffhacks.com/advisories/2024/06/24/CVE-2024-39338.html\n- https://github.com/axios/axios/issues/6463\n- https://github.com/axios/axios/pull/6539\n- https://github.com/axios/axios/pull/6543\n- https://github.com/axios/axios/commit/6b6b605eaf73852fb2dae033f1e786155959de3a\n- https://github.com/axios/axios/releases/tag/v1.7.4\n- https://github.com/advisories/GHSA-8hc4-vh64-cxmj","created":"2024-08-12T15:30:49.000Z","reported_by":null,"title":"Server-Side Request Forgery in axios","npm_advisory_id":null,"overview":"axios 1.7.2 allows SSRF via unexpected behavior where requests for path relative URLs get processed as protocol relative URLs.","url":"https://github.com/advisories/GHSA-8hc4-vh64-cxmj"}}} +{"type":"auditAdvisory","data":{"resolution":{"id":1098593,"path":"redoc-cli>node-libs-browser>crypto-browserify>browserify-sign>elliptic","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"6.5.4","paths":["redoc-cli>node-libs-browser>crypto-browserify>browserify-sign>elliptic"]}],"metadata":null,"vulnerable_versions":">=4.0.0 <=6.5.6","module_name":"elliptic","severity":"low","github_advisory_id":"GHSA-f7q4-pwc6-w24p","cves":["CVE-2024-42459"],"access":"public","patched_versions":">=6.5.7","cvss":{"score":5.3,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},"updated":"2024-08-15T17:53:40.000Z","recommendation":"Upgrade to version 6.5.7 or later","cwe":["CWE-347"],"found_by":null,"deleted":null,"id":1098593,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2024-42459\n- https://github.com/indutny/elliptic/pull/317\n- https://github.com/indutny/elliptic/commit/c0690b36be043ee73c1780ae4b7df48632b11cf9\n- https://github.com/indutny/elliptic/commit/accb61e9c1a005e5c8ff96a8b33893100bb42d11\n- https://github.com/advisories/GHSA-f7q4-pwc6-w24p","created":"2024-08-02T09:31:35.000Z","reported_by":null,"title":"Elliptic's EDDSA missing signature length check","npm_advisory_id":null,"overview":"In the Elliptic package 6.5.6 for Node.js, EDDSA signature malleability occurs because there is a missing signature length check, and thus zero-valued bytes can be removed or appended.","url":"https://github.com/advisories/GHSA-f7q4-pwc6-w24p"}}} +{"type":"auditAdvisory","data":{"resolution":{"id":1098594,"path":"redoc-cli>node-libs-browser>crypto-browserify>browserify-sign>elliptic","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"6.5.4","paths":["redoc-cli>node-libs-browser>crypto-browserify>browserify-sign>elliptic"]}],"metadata":null,"vulnerable_versions":">=2.0.0 <=6.5.6","module_name":"elliptic","severity":"low","github_advisory_id":"GHSA-977x-g7h5-7qgw","cves":["CVE-2024-42460"],"access":"public","patched_versions":">=6.5.7","cvss":{"score":5.3,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},"updated":"2024-08-15T17:53:06.000Z","recommendation":"Upgrade to version 6.5.7 or later","cwe":["CWE-130"],"found_by":null,"deleted":null,"id":1098594,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2024-42460\n- https://github.com/indutny/elliptic/pull/317\n- https://github.com/indutny/elliptic/commit/b6ff1758d9a6d1a7aec177ff6df9f586492a6315\n- https://github.com/indutny/elliptic/commit/accb61e9c1a005e5c8ff96a8b33893100bb42d11\n- https://github.com/advisories/GHSA-977x-g7h5-7qgw","created":"2024-08-02T09:31:35.000Z","reported_by":null,"title":"Elliptic's ECDSA missing check for whether leading bit of r and s is zero","npm_advisory_id":null,"overview":"In the Elliptic package 6.5.6 for Node.js, ECDSA signature malleability occurs because there is a missing check for whether the leading bit of r and s is zero.","url":"https://github.com/advisories/GHSA-977x-g7h5-7qgw"}}} +{"type":"auditAdvisory","data":{"resolution":{"id":1098595,"path":"redoc-cli>node-libs-browser>crypto-browserify>browserify-sign>elliptic","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"6.5.4","paths":["redoc-cli>node-libs-browser>crypto-browserify>browserify-sign>elliptic"]}],"metadata":null,"vulnerable_versions":">=5.2.1 <=6.5.6","module_name":"elliptic","severity":"low","github_advisory_id":"GHSA-49q7-c7j4-3p7m","cves":["CVE-2024-42461"],"access":"public","patched_versions":">=6.5.7","cvss":{"score":5.3,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},"updated":"2024-08-15T17:52:30.000Z","recommendation":"Upgrade to version 6.5.7 or later","cwe":["CWE-347"],"found_by":null,"deleted":null,"id":1098595,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2024-42461\n- https://github.com/indutny/elliptic/pull/317\n- https://github.com/indutny/elliptic/commit/accb61e9c1a005e5c8ff96a8b33893100bb42d11\n- https://github.com/advisories/GHSA-49q7-c7j4-3p7m","created":"2024-08-02T09:31:35.000Z","reported_by":null,"title":"Elliptic allows BER-encoded signatures","npm_advisory_id":null,"overview":"In the Elliptic package 6.5.6 for Node.js, ECDSA signature malleability occurs because BER-encoded signatures are allowed.","url":"https://github.com/advisories/GHSA-49q7-c7j4-3p7m"}}} +{"type":"auditAdvisory","data":{"resolution":{"id":1098618,"path":"jest-cli>jest-util>micromatch","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"4.0.7","paths":["jest-cli>jest-util>micromatch","@types/jest>expect>jest-message-util>micromatch","@typescript-eslint/parser>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","jest>jest-cli>@jest/core>@jest/reporters>@jest/test-result>@jest/console>jest-message-util>micromatch","jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>@jest/test-result>@jest/console>jest-message-util>micromatch","jest-cli>jest-config>@jest/test-sequencer>jest-runner>jest-config>@jest/test-sequencer>@jest/test-result>@jest/console>jest-message-util>micromatch","jest-cli>jest-config>@jest/test-sequencer>jest-runner>jest-runtime>jest-config>@jest/test-sequencer>@jest/test-result>@jest/console>jest-message-util>micromatch","jest-cli>jest-config>@jest/test-sequencer>jest-runner>jest-runtime>jest-config>babel-jest>@jest/transform>jest-haste-map>sane>anymatch>micromatch"]}],"metadata":null,"vulnerable_versions":"<4.0.8","module_name":"micromatch","severity":"moderate","github_advisory_id":"GHSA-952p-6rrq-rcjv","cves":["CVE-2024-4067"],"access":"public","patched_versions":">=4.0.8","cvss":{"score":0,"vectorString":null},"updated":"2024-08-23T17:27:31.000Z","recommendation":"Upgrade to version 4.0.8 or later","cwe":["CWE-1333"],"found_by":null,"deleted":null,"id":1098618,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2024-4067\n- https://github.com/micromatch/micromatch/issues/243\n- https://github.com/micromatch/micromatch/pull/247\n- https://devhub.checkmarx.com/cve-details/CVE-2024-4067\n- https://github.com/micromatch/micromatch/blob/2c56a8604b68c1099e7bc0f807ce0865a339747a/index.js#L448\n- https://github.com/micromatch/micromatch/commit/500d5d6f42f0e8dfa1cb5464c6cb420b1b6aaaa0\n- https://github.com/advisories/GHSA-952p-6rrq-rcjv","created":"2024-05-14T18:30:54.000Z","reported_by":null,"title":"Regular Expression Denial of Service (ReDoS) in micromatch","npm_advisory_id":null,"overview":"The NPM package `micromatch` is vulnerable to Regular Expression Denial of Service (ReDoS). The vulnerability occurs in `micromatch.braces()` in `index.js` because the pattern `.*` will greedily match anything. By passing a malicious payload, the pattern matching will keep backtracking to the input while it doesn't find the closing bracket. As the input size increases, the consumption time will also increase until it causes the application to hang or slow down. There was a merged fix but further testing shows the issue persists. This issue should be mitigated by using a safe pattern that won't start backtracking the regular expression due to greedy matching.\n","url":"https://github.com/advisories/GHSA-952p-6rrq-rcjv"}}} +{"type":"auditAdvisory","data":{"resolution":{"id":1098618,"path":"@types/jest>expect>jest-message-util>micromatch","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"4.0.7","paths":["jest-cli>jest-util>micromatch","@types/jest>expect>jest-message-util>micromatch","@typescript-eslint/parser>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","jest>jest-cli>@jest/core>@jest/reporters>@jest/test-result>@jest/console>jest-message-util>micromatch","jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>@jest/test-result>@jest/console>jest-message-util>micromatch","jest-cli>jest-config>@jest/test-sequencer>jest-runner>jest-config>@jest/test-sequencer>@jest/test-result>@jest/console>jest-message-util>micromatch","jest-cli>jest-config>@jest/test-sequencer>jest-runner>jest-runtime>jest-config>@jest/test-sequencer>@jest/test-result>@jest/console>jest-message-util>micromatch","jest-cli>jest-config>@jest/test-sequencer>jest-runner>jest-runtime>jest-config>babel-jest>@jest/transform>jest-haste-map>sane>anymatch>micromatch"]}],"metadata":null,"vulnerable_versions":"<4.0.8","module_name":"micromatch","severity":"moderate","github_advisory_id":"GHSA-952p-6rrq-rcjv","cves":["CVE-2024-4067"],"access":"public","patched_versions":">=4.0.8","cvss":{"score":0,"vectorString":null},"updated":"2024-08-23T17:27:31.000Z","recommendation":"Upgrade to version 4.0.8 or later","cwe":["CWE-1333"],"found_by":null,"deleted":null,"id":1098618,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2024-4067\n- https://github.com/micromatch/micromatch/issues/243\n- https://github.com/micromatch/micromatch/pull/247\n- https://devhub.checkmarx.com/cve-details/CVE-2024-4067\n- https://github.com/micromatch/micromatch/blob/2c56a8604b68c1099e7bc0f807ce0865a339747a/index.js#L448\n- https://github.com/micromatch/micromatch/commit/500d5d6f42f0e8dfa1cb5464c6cb420b1b6aaaa0\n- https://github.com/advisories/GHSA-952p-6rrq-rcjv","created":"2024-05-14T18:30:54.000Z","reported_by":null,"title":"Regular Expression Denial of Service (ReDoS) in micromatch","npm_advisory_id":null,"overview":"The NPM package `micromatch` is vulnerable to Regular Expression Denial of Service (ReDoS). The vulnerability occurs in `micromatch.braces()` in `index.js` because the pattern `.*` will greedily match anything. By passing a malicious payload, the pattern matching will keep backtracking to the input while it doesn't find the closing bracket. As the input size increases, the consumption time will also increase until it causes the application to hang or slow down. There was a merged fix but further testing shows the issue persists. This issue should be mitigated by using a safe pattern that won't start backtracking the regular expression due to greedy matching.\n","url":"https://github.com/advisories/GHSA-952p-6rrq-rcjv"}}} +{"type":"auditAdvisory","data":{"resolution":{"id":1098618,"path":"@typescript-eslint/parser>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"4.0.7","paths":["jest-cli>jest-util>micromatch","@types/jest>expect>jest-message-util>micromatch","@typescript-eslint/parser>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","jest>jest-cli>@jest/core>@jest/reporters>@jest/test-result>@jest/console>jest-message-util>micromatch","jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>@jest/test-result>@jest/console>jest-message-util>micromatch","jest-cli>jest-config>@jest/test-sequencer>jest-runner>jest-config>@jest/test-sequencer>@jest/test-result>@jest/console>jest-message-util>micromatch","jest-cli>jest-config>@jest/test-sequencer>jest-runner>jest-runtime>jest-config>@jest/test-sequencer>@jest/test-result>@jest/console>jest-message-util>micromatch","jest-cli>jest-config>@jest/test-sequencer>jest-runner>jest-runtime>jest-config>babel-jest>@jest/transform>jest-haste-map>sane>anymatch>micromatch"]}],"metadata":null,"vulnerable_versions":"<4.0.8","module_name":"micromatch","severity":"moderate","github_advisory_id":"GHSA-952p-6rrq-rcjv","cves":["CVE-2024-4067"],"access":"public","patched_versions":">=4.0.8","cvss":{"score":0,"vectorString":null},"updated":"2024-08-23T17:27:31.000Z","recommendation":"Upgrade to version 4.0.8 or later","cwe":["CWE-1333"],"found_by":null,"deleted":null,"id":1098618,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2024-4067\n- https://github.com/micromatch/micromatch/issues/243\n- https://github.com/micromatch/micromatch/pull/247\n- https://devhub.checkmarx.com/cve-details/CVE-2024-4067\n- https://github.com/micromatch/micromatch/blob/2c56a8604b68c1099e7bc0f807ce0865a339747a/index.js#L448\n- https://github.com/micromatch/micromatch/commit/500d5d6f42f0e8dfa1cb5464c6cb420b1b6aaaa0\n- https://github.com/advisories/GHSA-952p-6rrq-rcjv","created":"2024-05-14T18:30:54.000Z","reported_by":null,"title":"Regular Expression Denial of Service (ReDoS) in micromatch","npm_advisory_id":null,"overview":"The NPM package `micromatch` is vulnerable to Regular Expression Denial of Service (ReDoS). The vulnerability occurs in `micromatch.braces()` in `index.js` because the pattern `.*` will greedily match anything. By passing a malicious payload, the pattern matching will keep backtracking to the input while it doesn't find the closing bracket. As the input size increases, the consumption time will also increase until it causes the application to hang or slow down. There was a merged fix but further testing shows the issue persists. This issue should be mitigated by using a safe pattern that won't start backtracking the regular expression due to greedy matching.\n","url":"https://github.com/advisories/GHSA-952p-6rrq-rcjv"}}} +{"type":"auditAdvisory","data":{"resolution":{"id":1098618,"path":"@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"4.0.7","paths":["jest-cli>jest-util>micromatch","@types/jest>expect>jest-message-util>micromatch","@typescript-eslint/parser>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","jest>jest-cli>@jest/core>@jest/reporters>@jest/test-result>@jest/console>jest-message-util>micromatch","jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>@jest/test-result>@jest/console>jest-message-util>micromatch","jest-cli>jest-config>@jest/test-sequencer>jest-runner>jest-config>@jest/test-sequencer>@jest/test-result>@jest/console>jest-message-util>micromatch","jest-cli>jest-config>@jest/test-sequencer>jest-runner>jest-runtime>jest-config>@jest/test-sequencer>@jest/test-result>@jest/console>jest-message-util>micromatch","jest-cli>jest-config>@jest/test-sequencer>jest-runner>jest-runtime>jest-config>babel-jest>@jest/transform>jest-haste-map>sane>anymatch>micromatch"]}],"metadata":null,"vulnerable_versions":"<4.0.8","module_name":"micromatch","severity":"moderate","github_advisory_id":"GHSA-952p-6rrq-rcjv","cves":["CVE-2024-4067"],"access":"public","patched_versions":">=4.0.8","cvss":{"score":0,"vectorString":null},"updated":"2024-08-23T17:27:31.000Z","recommendation":"Upgrade to version 4.0.8 or later","cwe":["CWE-1333"],"found_by":null,"deleted":null,"id":1098618,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2024-4067\n- https://github.com/micromatch/micromatch/issues/243\n- https://github.com/micromatch/micromatch/pull/247\n- https://devhub.checkmarx.com/cve-details/CVE-2024-4067\n- https://github.com/micromatch/micromatch/blob/2c56a8604b68c1099e7bc0f807ce0865a339747a/index.js#L448\n- https://github.com/micromatch/micromatch/commit/500d5d6f42f0e8dfa1cb5464c6cb420b1b6aaaa0\n- https://github.com/advisories/GHSA-952p-6rrq-rcjv","created":"2024-05-14T18:30:54.000Z","reported_by":null,"title":"Regular Expression Denial of Service (ReDoS) in micromatch","npm_advisory_id":null,"overview":"The NPM package `micromatch` is vulnerable to Regular Expression Denial of Service (ReDoS). The vulnerability occurs in `micromatch.braces()` in `index.js` because the pattern `.*` will greedily match anything. By passing a malicious payload, the pattern matching will keep backtracking to the input while it doesn't find the closing bracket. As the input size increases, the consumption time will also increase until it causes the application to hang or slow down. There was a merged fix but further testing shows the issue persists. This issue should be mitigated by using a safe pattern that won't start backtracking the regular expression due to greedy matching.\n","url":"https://github.com/advisories/GHSA-952p-6rrq-rcjv"}}} +{"type":"auditAdvisory","data":{"resolution":{"id":1098618,"path":"@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"4.0.7","paths":["jest-cli>jest-util>micromatch","@types/jest>expect>jest-message-util>micromatch","@typescript-eslint/parser>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","jest>jest-cli>@jest/core>@jest/reporters>@jest/test-result>@jest/console>jest-message-util>micromatch","jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>@jest/test-result>@jest/console>jest-message-util>micromatch","jest-cli>jest-config>@jest/test-sequencer>jest-runner>jest-config>@jest/test-sequencer>@jest/test-result>@jest/console>jest-message-util>micromatch","jest-cli>jest-config>@jest/test-sequencer>jest-runner>jest-runtime>jest-config>@jest/test-sequencer>@jest/test-result>@jest/console>jest-message-util>micromatch","jest-cli>jest-config>@jest/test-sequencer>jest-runner>jest-runtime>jest-config>babel-jest>@jest/transform>jest-haste-map>sane>anymatch>micromatch"]}],"metadata":null,"vulnerable_versions":"<4.0.8","module_name":"micromatch","severity":"moderate","github_advisory_id":"GHSA-952p-6rrq-rcjv","cves":["CVE-2024-4067"],"access":"public","patched_versions":">=4.0.8","cvss":{"score":0,"vectorString":null},"updated":"2024-08-23T17:27:31.000Z","recommendation":"Upgrade to version 4.0.8 or later","cwe":["CWE-1333"],"found_by":null,"deleted":null,"id":1098618,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2024-4067\n- https://github.com/micromatch/micromatch/issues/243\n- https://github.com/micromatch/micromatch/pull/247\n- https://devhub.checkmarx.com/cve-details/CVE-2024-4067\n- https://github.com/micromatch/micromatch/blob/2c56a8604b68c1099e7bc0f807ce0865a339747a/index.js#L448\n- https://github.com/micromatch/micromatch/commit/500d5d6f42f0e8dfa1cb5464c6cb420b1b6aaaa0\n- https://github.com/advisories/GHSA-952p-6rrq-rcjv","created":"2024-05-14T18:30:54.000Z","reported_by":null,"title":"Regular Expression Denial of Service (ReDoS) in micromatch","npm_advisory_id":null,"overview":"The NPM package `micromatch` is vulnerable to Regular Expression Denial of Service (ReDoS). The vulnerability occurs in `micromatch.braces()` in `index.js` because the pattern `.*` will greedily match anything. By passing a malicious payload, the pattern matching will keep backtracking to the input while it doesn't find the closing bracket. As the input size increases, the consumption time will also increase until it causes the application to hang or slow down. There was a merged fix but further testing shows the issue persists. This issue should be mitigated by using a safe pattern that won't start backtracking the regular expression due to greedy matching.\n","url":"https://github.com/advisories/GHSA-952p-6rrq-rcjv"}}} +{"type":"auditAdvisory","data":{"resolution":{"id":1098618,"path":"jest>jest-cli>@jest/core>@jest/reporters>@jest/test-result>@jest/console>jest-message-util>micromatch","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"4.0.7","paths":["jest-cli>jest-util>micromatch","@types/jest>expect>jest-message-util>micromatch","@typescript-eslint/parser>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","jest>jest-cli>@jest/core>@jest/reporters>@jest/test-result>@jest/console>jest-message-util>micromatch","jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>@jest/test-result>@jest/console>jest-message-util>micromatch","jest-cli>jest-config>@jest/test-sequencer>jest-runner>jest-config>@jest/test-sequencer>@jest/test-result>@jest/console>jest-message-util>micromatch","jest-cli>jest-config>@jest/test-sequencer>jest-runner>jest-runtime>jest-config>@jest/test-sequencer>@jest/test-result>@jest/console>jest-message-util>micromatch","jest-cli>jest-config>@jest/test-sequencer>jest-runner>jest-runtime>jest-config>babel-jest>@jest/transform>jest-haste-map>sane>anymatch>micromatch"]}],"metadata":null,"vulnerable_versions":"<4.0.8","module_name":"micromatch","severity":"moderate","github_advisory_id":"GHSA-952p-6rrq-rcjv","cves":["CVE-2024-4067"],"access":"public","patched_versions":">=4.0.8","cvss":{"score":0,"vectorString":null},"updated":"2024-08-23T17:27:31.000Z","recommendation":"Upgrade to version 4.0.8 or later","cwe":["CWE-1333"],"found_by":null,"deleted":null,"id":1098618,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2024-4067\n- https://github.com/micromatch/micromatch/issues/243\n- https://github.com/micromatch/micromatch/pull/247\n- https://devhub.checkmarx.com/cve-details/CVE-2024-4067\n- https://github.com/micromatch/micromatch/blob/2c56a8604b68c1099e7bc0f807ce0865a339747a/index.js#L448\n- https://github.com/micromatch/micromatch/commit/500d5d6f42f0e8dfa1cb5464c6cb420b1b6aaaa0\n- https://github.com/advisories/GHSA-952p-6rrq-rcjv","created":"2024-05-14T18:30:54.000Z","reported_by":null,"title":"Regular Expression Denial of Service (ReDoS) in micromatch","npm_advisory_id":null,"overview":"The NPM package `micromatch` is vulnerable to Regular Expression Denial of Service (ReDoS). The vulnerability occurs in `micromatch.braces()` in `index.js` because the pattern `.*` will greedily match anything. By passing a malicious payload, the pattern matching will keep backtracking to the input while it doesn't find the closing bracket. As the input size increases, the consumption time will also increase until it causes the application to hang or slow down. There was a merged fix but further testing shows the issue persists. This issue should be mitigated by using a safe pattern that won't start backtracking the regular expression due to greedy matching.\n","url":"https://github.com/advisories/GHSA-952p-6rrq-rcjv"}}} +{"type":"auditAdvisory","data":{"resolution":{"id":1098618,"path":"jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>@jest/test-result>@jest/console>jest-message-util>micromatch","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"4.0.7","paths":["jest-cli>jest-util>micromatch","@types/jest>expect>jest-message-util>micromatch","@typescript-eslint/parser>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","jest>jest-cli>@jest/core>@jest/reporters>@jest/test-result>@jest/console>jest-message-util>micromatch","jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>@jest/test-result>@jest/console>jest-message-util>micromatch","jest-cli>jest-config>@jest/test-sequencer>jest-runner>jest-config>@jest/test-sequencer>@jest/test-result>@jest/console>jest-message-util>micromatch","jest-cli>jest-config>@jest/test-sequencer>jest-runner>jest-runtime>jest-config>@jest/test-sequencer>@jest/test-result>@jest/console>jest-message-util>micromatch","jest-cli>jest-config>@jest/test-sequencer>jest-runner>jest-runtime>jest-config>babel-jest>@jest/transform>jest-haste-map>sane>anymatch>micromatch"]}],"metadata":null,"vulnerable_versions":"<4.0.8","module_name":"micromatch","severity":"moderate","github_advisory_id":"GHSA-952p-6rrq-rcjv","cves":["CVE-2024-4067"],"access":"public","patched_versions":">=4.0.8","cvss":{"score":0,"vectorString":null},"updated":"2024-08-23T17:27:31.000Z","recommendation":"Upgrade to version 4.0.8 or later","cwe":["CWE-1333"],"found_by":null,"deleted":null,"id":1098618,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2024-4067\n- https://github.com/micromatch/micromatch/issues/243\n- https://github.com/micromatch/micromatch/pull/247\n- https://devhub.checkmarx.com/cve-details/CVE-2024-4067\n- https://github.com/micromatch/micromatch/blob/2c56a8604b68c1099e7bc0f807ce0865a339747a/index.js#L448\n- https://github.com/micromatch/micromatch/commit/500d5d6f42f0e8dfa1cb5464c6cb420b1b6aaaa0\n- https://github.com/advisories/GHSA-952p-6rrq-rcjv","created":"2024-05-14T18:30:54.000Z","reported_by":null,"title":"Regular Expression Denial of Service (ReDoS) in micromatch","npm_advisory_id":null,"overview":"The NPM package `micromatch` is vulnerable to Regular Expression Denial of Service (ReDoS). The vulnerability occurs in `micromatch.braces()` in `index.js` because the pattern `.*` will greedily match anything. By passing a malicious payload, the pattern matching will keep backtracking to the input while it doesn't find the closing bracket. As the input size increases, the consumption time will also increase until it causes the application to hang or slow down. There was a merged fix but further testing shows the issue persists. This issue should be mitigated by using a safe pattern that won't start backtracking the regular expression due to greedy matching.\n","url":"https://github.com/advisories/GHSA-952p-6rrq-rcjv"}}} +{"type":"auditAdvisory","data":{"resolution":{"id":1098618,"path":"jest-cli>jest-config>@jest/test-sequencer>jest-runner>jest-config>@jest/test-sequencer>@jest/test-result>@jest/console>jest-message-util>micromatch","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"4.0.7","paths":["jest-cli>jest-util>micromatch","@types/jest>expect>jest-message-util>micromatch","@typescript-eslint/parser>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","jest>jest-cli>@jest/core>@jest/reporters>@jest/test-result>@jest/console>jest-message-util>micromatch","jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>@jest/test-result>@jest/console>jest-message-util>micromatch","jest-cli>jest-config>@jest/test-sequencer>jest-runner>jest-config>@jest/test-sequencer>@jest/test-result>@jest/console>jest-message-util>micromatch","jest-cli>jest-config>@jest/test-sequencer>jest-runner>jest-runtime>jest-config>@jest/test-sequencer>@jest/test-result>@jest/console>jest-message-util>micromatch","jest-cli>jest-config>@jest/test-sequencer>jest-runner>jest-runtime>jest-config>babel-jest>@jest/transform>jest-haste-map>sane>anymatch>micromatch"]}],"metadata":null,"vulnerable_versions":"<4.0.8","module_name":"micromatch","severity":"moderate","github_advisory_id":"GHSA-952p-6rrq-rcjv","cves":["CVE-2024-4067"],"access":"public","patched_versions":">=4.0.8","cvss":{"score":0,"vectorString":null},"updated":"2024-08-23T17:27:31.000Z","recommendation":"Upgrade to version 4.0.8 or later","cwe":["CWE-1333"],"found_by":null,"deleted":null,"id":1098618,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2024-4067\n- https://github.com/micromatch/micromatch/issues/243\n- https://github.com/micromatch/micromatch/pull/247\n- https://devhub.checkmarx.com/cve-details/CVE-2024-4067\n- https://github.com/micromatch/micromatch/blob/2c56a8604b68c1099e7bc0f807ce0865a339747a/index.js#L448\n- https://github.com/micromatch/micromatch/commit/500d5d6f42f0e8dfa1cb5464c6cb420b1b6aaaa0\n- https://github.com/advisories/GHSA-952p-6rrq-rcjv","created":"2024-05-14T18:30:54.000Z","reported_by":null,"title":"Regular Expression Denial of Service (ReDoS) in micromatch","npm_advisory_id":null,"overview":"The NPM package `micromatch` is vulnerable to Regular Expression Denial of Service (ReDoS). The vulnerability occurs in `micromatch.braces()` in `index.js` because the pattern `.*` will greedily match anything. By passing a malicious payload, the pattern matching will keep backtracking to the input while it doesn't find the closing bracket. As the input size increases, the consumption time will also increase until it causes the application to hang or slow down. There was a merged fix but further testing shows the issue persists. This issue should be mitigated by using a safe pattern that won't start backtracking the regular expression due to greedy matching.\n","url":"https://github.com/advisories/GHSA-952p-6rrq-rcjv"}}} +{"type":"auditAdvisory","data":{"resolution":{"id":1098618,"path":"jest-cli>jest-config>@jest/test-sequencer>jest-runner>jest-runtime>jest-config>@jest/test-sequencer>@jest/test-result>@jest/console>jest-message-util>micromatch","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"4.0.7","paths":["jest-cli>jest-util>micromatch","@types/jest>expect>jest-message-util>micromatch","@typescript-eslint/parser>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","jest>jest-cli>@jest/core>@jest/reporters>@jest/test-result>@jest/console>jest-message-util>micromatch","jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>@jest/test-result>@jest/console>jest-message-util>micromatch","jest-cli>jest-config>@jest/test-sequencer>jest-runner>jest-config>@jest/test-sequencer>@jest/test-result>@jest/console>jest-message-util>micromatch","jest-cli>jest-config>@jest/test-sequencer>jest-runner>jest-runtime>jest-config>@jest/test-sequencer>@jest/test-result>@jest/console>jest-message-util>micromatch","jest-cli>jest-config>@jest/test-sequencer>jest-runner>jest-runtime>jest-config>babel-jest>@jest/transform>jest-haste-map>sane>anymatch>micromatch"]}],"metadata":null,"vulnerable_versions":"<4.0.8","module_name":"micromatch","severity":"moderate","github_advisory_id":"GHSA-952p-6rrq-rcjv","cves":["CVE-2024-4067"],"access":"public","patched_versions":">=4.0.8","cvss":{"score":0,"vectorString":null},"updated":"2024-08-23T17:27:31.000Z","recommendation":"Upgrade to version 4.0.8 or later","cwe":["CWE-1333"],"found_by":null,"deleted":null,"id":1098618,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2024-4067\n- https://github.com/micromatch/micromatch/issues/243\n- https://github.com/micromatch/micromatch/pull/247\n- https://devhub.checkmarx.com/cve-details/CVE-2024-4067\n- https://github.com/micromatch/micromatch/blob/2c56a8604b68c1099e7bc0f807ce0865a339747a/index.js#L448\n- https://github.com/micromatch/micromatch/commit/500d5d6f42f0e8dfa1cb5464c6cb420b1b6aaaa0\n- https://github.com/advisories/GHSA-952p-6rrq-rcjv","created":"2024-05-14T18:30:54.000Z","reported_by":null,"title":"Regular Expression Denial of Service (ReDoS) in micromatch","npm_advisory_id":null,"overview":"The NPM package `micromatch` is vulnerable to Regular Expression Denial of Service (ReDoS). The vulnerability occurs in `micromatch.braces()` in `index.js` because the pattern `.*` will greedily match anything. By passing a malicious payload, the pattern matching will keep backtracking to the input while it doesn't find the closing bracket. As the input size increases, the consumption time will also increase until it causes the application to hang or slow down. There was a merged fix but further testing shows the issue persists. This issue should be mitigated by using a safe pattern that won't start backtracking the regular expression due to greedy matching.\n","url":"https://github.com/advisories/GHSA-952p-6rrq-rcjv"}}} +{"type":"auditAdvisory","data":{"resolution":{"id":1094902,"path":"@axe-core/cli>chromedriver","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"109.0.0","paths":["@axe-core/cli>chromedriver"]}],"metadata":null,"vulnerable_versions":"<119.0.1","module_name":"chromedriver","severity":"moderate","github_advisory_id":"GHSA-hm92-vgmw-qfmx","cves":["CVE-2023-26156"],"access":"public","patched_versions":">=119.0.1","cvss":{"score":5.6,"vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L"},"updated":"2023-11-17T22:12:01.000Z","recommendation":"Upgrade to version 119.0.1 or later","cwe":["CWE-78"],"found_by":null,"deleted":null,"id":1094902,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2023-26156\n- https://github.com/giggio/node-chromedriver/commit/de961e34e023afcf4fa5c0faeeec69aaa6c3c815\n- https://gist.github.com/mcoimbra/47b1da554a80795c45126d51e41b2b18\n- https://security.snyk.io/vuln/SNYK-JS-CHROMEDRIVER-6049539\n- https://github.com/advisories/GHSA-hm92-vgmw-qfmx","created":"2023-11-09T06:30:28.000Z","reported_by":null,"title":"chromedriver Command Injection vulnerability","npm_advisory_id":null,"overview":"Versions of the package chromedriver before 119.0.1 are vulnerable to Command Injection when setting the chromedriver.path to an arbitrary system binary. This could lead to unauthorized access and potentially malicious actions on the host system.\n\n**Note:**\n\nAn attacker must have access to the system running the vulnerable chromedriver library to exploit it. The success of exploitation also depends on the permissions and privileges of the process running chromedriver. ","url":"https://github.com/advisories/GHSA-hm92-vgmw-qfmx"}}} {"type":"auditAdvisory","data":{"resolution":{"id":1096410,"path":"xml2json>hoek","dev":false,"bundled":false,"optional":false},"advisory":{"findings":[{"version":"4.2.1","paths":["xml2json>hoek"]},{"version":"5.0.4","paths":["xml2json>joi>hoek"]},{"version":"6.1.3","paths":["xml2json>joi>topo>hoek"]}],"metadata":null,"vulnerable_versions":"<=6.1.3","module_name":"hoek","severity":"high","github_advisory_id":"GHSA-c429-5p7v-vgjp","cves":["CVE-2020-36604"],"access":"public","patched_versions":"<0.0.0","cvss":{"score":8.1,"vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"},"updated":"2024-02-07T18:59:37.000Z","recommendation":"None","cwe":["CWE-1321"],"found_by":null,"deleted":null,"id":1096410,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2020-36604\n- https://github.com/hapijs/hoek/issues/352\n- https://github.com/hapijs/hoek/commit/4d0804bc6135ad72afdc5e1ec002b935b2f5216a\n- https://github.com/hapijs/hoek/commit/948baf98634a5c206875b67d11368f133034fa90\n- https://github.com/advisories/GHSA-c429-5p7v-vgjp","created":"2022-09-25T00:00:27.000Z","reported_by":null,"title":"hoek subject to prototype pollution via the clone function.","npm_advisory_id":null,"overview":"hoek versions prior to 8.5.1, and 9.x prior to 9.0.3 are vulnerable to prototype pollution in the clone function. If an object with the __proto__ key is passed to clone() the key is converted to a prototype. This issue has been patched in version 9.0.3, and backported to 8.5.1. ","url":"https://github.com/advisories/GHSA-c429-5p7v-vgjp"}}} {"type":"auditAdvisory","data":{"resolution":{"id":1096410,"path":"xml2json>joi>hoek","dev":false,"bundled":false,"optional":false},"advisory":{"findings":[{"version":"4.2.1","paths":["xml2json>hoek"]},{"version":"5.0.4","paths":["xml2json>joi>hoek"]},{"version":"6.1.3","paths":["xml2json>joi>topo>hoek"]}],"metadata":null,"vulnerable_versions":"<=6.1.3","module_name":"hoek","severity":"high","github_advisory_id":"GHSA-c429-5p7v-vgjp","cves":["CVE-2020-36604"],"access":"public","patched_versions":"<0.0.0","cvss":{"score":8.1,"vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"},"updated":"2024-02-07T18:59:37.000Z","recommendation":"None","cwe":["CWE-1321"],"found_by":null,"deleted":null,"id":1096410,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2020-36604\n- https://github.com/hapijs/hoek/issues/352\n- https://github.com/hapijs/hoek/commit/4d0804bc6135ad72afdc5e1ec002b935b2f5216a\n- https://github.com/hapijs/hoek/commit/948baf98634a5c206875b67d11368f133034fa90\n- https://github.com/advisories/GHSA-c429-5p7v-vgjp","created":"2022-09-25T00:00:27.000Z","reported_by":null,"title":"hoek subject to prototype pollution via the clone function.","npm_advisory_id":null,"overview":"hoek versions prior to 8.5.1, and 9.x prior to 9.0.3 are vulnerable to prototype pollution in the clone function. If an object with the __proto__ key is passed to clone() the key is converted to a prototype. This issue has been patched in version 9.0.3, and backported to 8.5.1. ","url":"https://github.com/advisories/GHSA-c429-5p7v-vgjp"}}} {"type":"auditAdvisory","data":{"resolution":{"id":1096410,"path":"xml2json>joi>topo>hoek","dev":false,"bundled":false,"optional":false},"advisory":{"findings":[{"version":"4.2.1","paths":["xml2json>hoek"]},{"version":"5.0.4","paths":["xml2json>joi>hoek"]},{"version":"6.1.3","paths":["xml2json>joi>topo>hoek"]}],"metadata":null,"vulnerable_versions":"<=6.1.3","module_name":"hoek","severity":"high","github_advisory_id":"GHSA-c429-5p7v-vgjp","cves":["CVE-2020-36604"],"access":"public","patched_versions":"<0.0.0","cvss":{"score":8.1,"vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"},"updated":"2024-02-07T18:59:37.000Z","recommendation":"None","cwe":["CWE-1321"],"found_by":null,"deleted":null,"id":1096410,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2020-36604\n- https://github.com/hapijs/hoek/issues/352\n- https://github.com/hapijs/hoek/commit/4d0804bc6135ad72afdc5e1ec002b935b2f5216a\n- https://github.com/hapijs/hoek/commit/948baf98634a5c206875b67d11368f133034fa90\n- https://github.com/advisories/GHSA-c429-5p7v-vgjp","created":"2022-09-25T00:00:27.000Z","reported_by":null,"title":"hoek subject to prototype pollution via the clone function.","npm_advisory_id":null,"overview":"hoek versions prior to 8.5.1, and 9.x prior to 9.0.3 are vulnerable to prototype pollution in the clone function. If an object with the __proto__ key is passed to clone() the key is converted to a prototype. This issue has been patched in version 9.0.3, and backported to 8.5.1. ","url":"https://github.com/advisories/GHSA-c429-5p7v-vgjp"}}} -{"type":"auditAdvisory","data":{"resolution":{"id":1098582,"path":"newrelic>@newrelic/security-agent>axios","dev":false,"bundled":false,"optional":false},"advisory":{"findings":[{"version":"1.6.0","paths":["newrelic>@newrelic/security-agent>axios"]},{"version":"1.6.1","paths":["smartsheet>axios"]}],"metadata":null,"vulnerable_versions":">=1.3.2 <=1.7.3","module_name":"axios","severity":"high","github_advisory_id":"GHSA-8hc4-vh64-cxmj","cves":["CVE-2024-39338"],"access":"public","patched_versions":"<0.0.0","cvss":{"score":0,"vectorString":null},"updated":"2024-08-12T17:26:46.000Z","recommendation":"None","cwe":["CWE-918"],"found_by":null,"deleted":null,"id":1098582,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2024-39338\n- https://github.com/axios/axios/releases\n- https://jeffhacks.com/advisories/2024/06/24/CVE-2024-39338.html\n- https://github.com/axios/axios/issues/6463\n- https://github.com/axios/axios/pull/6539\n- https://github.com/advisories/GHSA-8hc4-vh64-cxmj","created":"2024-08-12T15:30:49.000Z","reported_by":null,"title":"Server-Side Request Forgery in axios","npm_advisory_id":null,"overview":"axios 1.7.2 allows SSRF via unexpected behavior where requests for path relative URLs get processed as protocol relative URLs.","url":"https://github.com/advisories/GHSA-8hc4-vh64-cxmj"}}} -{"type":"auditAdvisory","data":{"resolution":{"id":1098582,"path":"smartsheet>axios","dev":false,"bundled":false,"optional":false},"advisory":{"findings":[{"version":"1.6.0","paths":["newrelic>@newrelic/security-agent>axios"]},{"version":"1.6.1","paths":["smartsheet>axios"]}],"metadata":null,"vulnerable_versions":">=1.3.2 <=1.7.3","module_name":"axios","severity":"high","github_advisory_id":"GHSA-8hc4-vh64-cxmj","cves":["CVE-2024-39338"],"access":"public","patched_versions":"<0.0.0","cvss":{"score":0,"vectorString":null},"updated":"2024-08-12T17:26:46.000Z","recommendation":"None","cwe":["CWE-918"],"found_by":null,"deleted":null,"id":1098582,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2024-39338\n- https://github.com/axios/axios/releases\n- https://jeffhacks.com/advisories/2024/06/24/CVE-2024-39338.html\n- https://github.com/axios/axios/issues/6463\n- https://github.com/axios/axios/pull/6539\n- https://github.com/advisories/GHSA-8hc4-vh64-cxmj","created":"2024-08-12T15:30:49.000Z","reported_by":null,"title":"Server-Side Request Forgery in axios","npm_advisory_id":null,"overview":"axios 1.7.2 allows SSRF via unexpected behavior where requests for path relative URLs get processed as protocol relative URLs.","url":"https://github.com/advisories/GHSA-8hc4-vh64-cxmj"}}} +{"type":"auditAdvisory","data":{"resolution":{"id":1098583,"path":"@axe-core/cli>chromedriver>axios","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"1.6.0","paths":["@axe-core/cli>chromedriver>axios"]},{"version":"1.6.0","paths":["newrelic>@newrelic/security-agent>axios"]},{"version":"1.6.1","paths":["smartsheet>axios"]}],"metadata":null,"vulnerable_versions":">=1.3.2 <=1.7.3","module_name":"axios","severity":"high","github_advisory_id":"GHSA-8hc4-vh64-cxmj","cves":["CVE-2024-39338"],"access":"public","patched_versions":">=1.7.4","cvss":{"score":0,"vectorString":null},"updated":"2024-08-13T19:53:25.000Z","recommendation":"Upgrade to version 1.7.4 or later","cwe":["CWE-918"],"found_by":null,"deleted":null,"id":1098583,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2024-39338\n- https://github.com/axios/axios/releases\n- https://jeffhacks.com/advisories/2024/06/24/CVE-2024-39338.html\n- https://github.com/axios/axios/issues/6463\n- https://github.com/axios/axios/pull/6539\n- https://github.com/axios/axios/pull/6543\n- https://github.com/axios/axios/commit/6b6b605eaf73852fb2dae033f1e786155959de3a\n- https://github.com/axios/axios/releases/tag/v1.7.4\n- https://github.com/advisories/GHSA-8hc4-vh64-cxmj","created":"2024-08-12T15:30:49.000Z","reported_by":null,"title":"Server-Side Request Forgery in axios","npm_advisory_id":null,"overview":"axios 1.7.2 allows SSRF via unexpected behavior where requests for path relative URLs get processed as protocol relative URLs.","url":"https://github.com/advisories/GHSA-8hc4-vh64-cxmj"}}} From a48ed6d181ab7d8fe72d84f8337df9609e3e3929 Mon Sep 17 00:00:00 2001 From: GarrettEHill Date: Fri, 23 Aug 2024 15:26:57 -0700 Subject: [PATCH 040/138] Update yarn-audit-known-issues --- yarn-audit-known-issues | 20 ++------------------ 1 file changed, 2 insertions(+), 18 deletions(-) diff --git a/yarn-audit-known-issues b/yarn-audit-known-issues index f338b97612..eb1440461c 100644 --- a/yarn-audit-known-issues +++ b/yarn-audit-known-issues @@ -1,23 +1,7 @@ {"type":"auditAdvisory","data":{"resolution":{"id":1096366,"path":"email-templates>preview-email>mailparser>nodemailer","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"6.7.3","paths":["email-templates>preview-email>mailparser>nodemailer"]}],"metadata":null,"vulnerable_versions":"<=6.9.8","module_name":"nodemailer","severity":"moderate","github_advisory_id":"GHSA-9h6g-pr28-7cqp","cves":[],"access":"public","patched_versions":">=6.9.9","cvss":{"score":5.3,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},"updated":"2024-02-01T17:58:50.000Z","recommendation":"Upgrade to version 6.9.9 or later","cwe":["CWE-1333"],"found_by":null,"deleted":null,"id":1096366,"references":"- https://github.com/nodemailer/nodemailer/security/advisories/GHSA-9h6g-pr28-7cqp\n- https://gist.github.com/francoatmega/890dd5053375333e40c6fdbcc8c58df6\n- https://gist.github.com/francoatmega/9aab042b0b24968d7b7039818e8b2698\n- https://github.com/nodemailer/nodemailer/commit/dd8f5e8a4ddc99992e31df76bcff9c590035cd4a\n- https://github.com/advisories/GHSA-9h6g-pr28-7cqp","created":"2024-01-31T22:42:54.000Z","reported_by":null,"title":"nodemailer ReDoS when trying to send a specially crafted email","npm_advisory_id":null,"overview":"### Summary\nA ReDoS vulnerability occurs when nodemailer tries to parse img files with the parameter `attachDataUrls` set, causing the stuck of event loop. \nAnother flaw was found when nodemailer tries to parse an attachments with a embedded file, causing the stuck of event loop. \n\n### Details\n\nRegex: /^data:((?:[^;]*;)*(?:[^,]*)),(.*)$/\n\nPath: compile -> getAttachments -> _processDataUrl\n\nRegex: /(]* src\\s*=[\\s\"']*)(data:([^;]+);[^\"'>\\s]+)/\n\nPath: _convertDataImages\n\n### PoC\n\nhttps://gist.github.com/francoatmega/890dd5053375333e40c6fdbcc8c58df6\nhttps://gist.github.com/francoatmega/9aab042b0b24968d7b7039818e8b2698\n\n### Impact\n\nReDoS causes the event loop to stuck a specially crafted evil email can cause this problem.\n","url":"https://github.com/advisories/GHSA-9h6g-pr28-7cqp"}}} -{"type":"auditAdvisory","data":{"resolution":{"id":1098392,"path":"puppeteer>ws","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"8.5.0","paths":["puppeteer>ws"]}],"metadata":null,"vulnerable_versions":">=8.0.0 <8.17.1","module_name":"ws","severity":"high","github_advisory_id":"GHSA-3h5v-q93c-6h6q","cves":["CVE-2024-37890"],"access":"public","patched_versions":">=8.17.1","cvss":{"score":7.5,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},"updated":"2024-08-05T05:02:34.000Z","recommendation":"Upgrade to version 8.17.1 or later","cwe":["CWE-476"],"found_by":null,"deleted":null,"id":1098392,"references":"- https://github.com/websockets/ws/security/advisories/GHSA-3h5v-q93c-6h6q\n- https://github.com/websockets/ws/issues/2230\n- https://github.com/websockets/ws/pull/2231\n- https://github.com/websockets/ws/commit/22c28763234aa75a7e1b76f5c01c181260d7917f\n- https://github.com/websockets/ws/commit/4abd8f6de4b0b65ef80b3ff081989479ed93377e\n- https://github.com/websockets/ws/commit/e55e5106f10fcbaac37cfa89759e4cc0d073a52c\n- https://github.com/websockets/ws/commit/eeb76d313e2a00dd5247ca3597bba7877d064a63\n- https://github.com/advisories/GHSA-3h5v-q93c-6h6q","created":"2024-06-17T19:09:10.000Z","reported_by":null,"title":"ws affected by a DoS when handling a request with many HTTP headers","npm_advisory_id":null,"overview":"### Impact\n\nA request with a number of headers exceeding the[`server.maxHeadersCount`][] threshold could be used to crash a ws server.\n\n### Proof of concept\n\n```js\nconst http = require('http');\nconst WebSocket = require('ws');\n\nconst wss = new WebSocket.Server({ port: 0 }, function () {\n const chars = \"!#$%&'*+-.0123456789abcdefghijklmnopqrstuvwxyz^_`|~\".split('');\n const headers = {};\n let count = 0;\n\n for (let i = 0; i < chars.length; i++) {\n if (count === 2000) break;\n\n for (let j = 0; j < chars.length; j++) {\n const key = chars[i] + chars[j];\n headers[key] = 'x';\n\n if (++count === 2000) break;\n }\n }\n\n headers.Connection = 'Upgrade';\n headers.Upgrade = 'websocket';\n headers['Sec-WebSocket-Key'] = 'dGhlIHNhbXBsZSBub25jZQ==';\n headers['Sec-WebSocket-Version'] = '13';\n\n const request = http.request({\n headers: headers,\n host: '127.0.0.1',\n port: wss.address().port\n });\n\n request.end();\n});\n```\n\n### Patches\n\nThe vulnerability was fixed in ws@8.17.1 (https://github.com/websockets/ws/commit/e55e5106f10fcbaac37cfa89759e4cc0d073a52c) and backported to ws@7.5.10 (https://github.com/websockets/ws/commit/22c28763234aa75a7e1b76f5c01c181260d7917f), ws@6.2.3 (https://github.com/websockets/ws/commit/eeb76d313e2a00dd5247ca3597bba7877d064a63), and ws@5.2.4 (https://github.com/websockets/ws/commit/4abd8f6de4b0b65ef80b3ff081989479ed93377e)\n\n### Workarounds\n\nIn vulnerable versions of ws, the issue can be mitigated in the following ways:\n\n1. Reduce the maximum allowed length of the request headers using the [`--max-http-header-size=size`][] and/or the [`maxHeaderSize`][] options so that no more headers than the `server.maxHeadersCount` limit can be sent.\n2. Set `server.maxHeadersCount` to `0` so that no limit is applied.\n\n### Credits\n\nThe vulnerability was reported by [Ryan LaPointe](https://github.com/rrlapointe) in https://github.com/websockets/ws/issues/2230.\n\n### References\n\n- https://github.com/websockets/ws/issues/2230\n- https://github.com/websockets/ws/pull/2231\n\n[`--max-http-header-size=size`]: https://nodejs.org/api/cli.html#--max-http-header-sizesize\n[`maxHeaderSize`]: https://nodejs.org/api/http.html#httpcreateserveroptions-requestlistener\n[`server.maxHeadersCount`]: https://nodejs.org/api/http.html#servermaxheaderscount\n","url":"https://github.com/advisories/GHSA-3h5v-q93c-6h6q"}}} -{"type":"auditAdvisory","data":{"resolution":{"id":1098583,"path":"newrelic>@newrelic/security-agent>axios","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"1.6.0","paths":["@axe-core/cli>chromedriver>axios"]},{"version":"1.6.0","paths":["newrelic>@newrelic/security-agent>axios"]},{"version":"1.6.1","paths":["smartsheet>axios"]}],"metadata":null,"vulnerable_versions":">=1.3.2 <=1.7.3","module_name":"axios","severity":"high","github_advisory_id":"GHSA-8hc4-vh64-cxmj","cves":["CVE-2024-39338"],"access":"public","patched_versions":">=1.7.4","cvss":{"score":0,"vectorString":null},"updated":"2024-08-13T19:53:25.000Z","recommendation":"Upgrade to version 1.7.4 or later","cwe":["CWE-918"],"found_by":null,"deleted":null,"id":1098583,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2024-39338\n- https://github.com/axios/axios/releases\n- https://jeffhacks.com/advisories/2024/06/24/CVE-2024-39338.html\n- https://github.com/axios/axios/issues/6463\n- https://github.com/axios/axios/pull/6539\n- https://github.com/axios/axios/pull/6543\n- https://github.com/axios/axios/commit/6b6b605eaf73852fb2dae033f1e786155959de3a\n- https://github.com/axios/axios/releases/tag/v1.7.4\n- https://github.com/advisories/GHSA-8hc4-vh64-cxmj","created":"2024-08-12T15:30:49.000Z","reported_by":null,"title":"Server-Side Request Forgery in axios","npm_advisory_id":null,"overview":"axios 1.7.2 allows SSRF via unexpected behavior where requests for path relative URLs get processed as protocol relative URLs.","url":"https://github.com/advisories/GHSA-8hc4-vh64-cxmj"}}} -{"type":"auditAdvisory","data":{"resolution":{"id":1098618,"path":"jest-cli>jest-config>@jest/test-sequencer>jest-runner>jest-runtime>jest-config>babel-jest>@jest/transform>jest-haste-map>sane>anymatch>micromatch","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"4.0.7","paths":["jest-cli>jest-util>micromatch","@types/jest>expect>jest-message-util>micromatch","@typescript-eslint/parser>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","jest>jest-cli>@jest/core>@jest/reporters>@jest/test-result>@jest/console>jest-message-util>micromatch","jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>@jest/test-result>@jest/console>jest-message-util>micromatch","jest-cli>jest-config>@jest/test-sequencer>jest-runner>jest-config>@jest/test-sequencer>@jest/test-result>@jest/console>jest-message-util>micromatch","jest-cli>jest-config>@jest/test-sequencer>jest-runner>jest-runtime>jest-config>@jest/test-sequencer>@jest/test-result>@jest/console>jest-message-util>micromatch","jest-cli>jest-config>@jest/test-sequencer>jest-runner>jest-runtime>jest-config>babel-jest>@jest/transform>jest-haste-map>sane>anymatch>micromatch"]}],"metadata":null,"vulnerable_versions":"<4.0.8","module_name":"micromatch","severity":"moderate","github_advisory_id":"GHSA-952p-6rrq-rcjv","cves":["CVE-2024-4067"],"access":"public","patched_versions":">=4.0.8","cvss":{"score":0,"vectorString":null},"updated":"2024-08-23T17:27:31.000Z","recommendation":"Upgrade to version 4.0.8 or later","cwe":["CWE-1333"],"found_by":null,"deleted":null,"id":1098618,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2024-4067\n- https://github.com/micromatch/micromatch/issues/243\n- https://github.com/micromatch/micromatch/pull/247\n- https://devhub.checkmarx.com/cve-details/CVE-2024-4067\n- https://github.com/micromatch/micromatch/blob/2c56a8604b68c1099e7bc0f807ce0865a339747a/index.js#L448\n- https://github.com/micromatch/micromatch/commit/500d5d6f42f0e8dfa1cb5464c6cb420b1b6aaaa0\n- https://github.com/advisories/GHSA-952p-6rrq-rcjv","created":"2024-05-14T18:30:54.000Z","reported_by":null,"title":"Regular Expression Denial of Service (ReDoS) in micromatch","npm_advisory_id":null,"overview":"The NPM package `micromatch` is vulnerable to Regular Expression Denial of Service (ReDoS). The vulnerability occurs in `micromatch.braces()` in `index.js` because the pattern `.*` will greedily match anything. By passing a malicious payload, the pattern matching will keep backtracking to the input while it doesn't find the closing bracket. As the input size increases, the consumption time will also increase until it causes the application to hang or slow down. There was a merged fix but further testing shows the issue persists. This issue should be mitigated by using a safe pattern that won't start backtracking the regular expression due to greedy matching.\n","url":"https://github.com/advisories/GHSA-952p-6rrq-rcjv"}}} +{"type":"auditAdvisory","data":{"resolution":{"id":1098583,"path":"newrelic>@newrelic/security-agent>axios","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"1.6.0","paths":["newrelic>@newrelic/security-agent>axios"]},{"version":"1.6.1","paths":["smartsheet>axios"]}],"metadata":null,"vulnerable_versions":">=1.3.2 <=1.7.3","module_name":"axios","severity":"high","github_advisory_id":"GHSA-8hc4-vh64-cxmj","cves":["CVE-2024-39338"],"access":"public","patched_versions":">=1.7.4","cvss":{"score":0,"vectorString":null},"updated":"2024-08-13T19:53:25.000Z","recommendation":"Upgrade to version 1.7.4 or later","cwe":["CWE-918"],"found_by":null,"deleted":null,"id":1098583,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2024-39338\n- https://github.com/axios/axios/releases\n- https://jeffhacks.com/advisories/2024/06/24/CVE-2024-39338.html\n- https://github.com/axios/axios/issues/6463\n- https://github.com/axios/axios/pull/6539\n- https://github.com/axios/axios/pull/6543\n- https://github.com/axios/axios/commit/6b6b605eaf73852fb2dae033f1e786155959de3a\n- https://github.com/axios/axios/releases/tag/v1.7.4\n- https://github.com/advisories/GHSA-8hc4-vh64-cxmj","created":"2024-08-12T15:30:49.000Z","reported_by":null,"title":"Server-Side Request Forgery in axios","npm_advisory_id":null,"overview":"axios 1.7.2 allows SSRF via unexpected behavior where requests for path relative URLs get processed as protocol relative URLs.","url":"https://github.com/advisories/GHSA-8hc4-vh64-cxmj"}}} {"type":"auditAdvisory","data":{"resolution":{"id":1098559,"path":"newrelic>@newrelic/security-agent>@aws-sdk/client-lambda>@aws-sdk/client-sts>fast-xml-parser","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"4.2.5","paths":["newrelic>@newrelic/security-agent>@aws-sdk/client-lambda>@aws-sdk/client-sts>fast-xml-parser"]}],"metadata":null,"vulnerable_versions":"<4.4.1","module_name":"fast-xml-parser","severity":"high","github_advisory_id":"GHSA-mpg4-rc92-vx8v","cves":["CVE-2024-41818"],"access":"public","patched_versions":">=4.4.1","cvss":{"score":7.5,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},"updated":"2024-08-08T05:10:58.000Z","recommendation":"Upgrade to version 4.4.1 or later","cwe":["CWE-400"],"found_by":null,"deleted":null,"id":1098559,"references":"- https://github.com/NaturalIntelligence/fast-xml-parser/security/advisories/GHSA-mpg4-rc92-vx8v\n- https://github.com/NaturalIntelligence/fast-xml-parser/commit/d0bfe8a3a2813a185f39591bbef222212d856164\n- https://github.com/NaturalIntelligence/fast-xml-parser/blob/master/src/v5/valueParsers/currency.js#L10\n- https://nvd.nist.gov/vuln/detail/CVE-2024-41818\n- https://github.com/advisories/GHSA-mpg4-rc92-vx8v","created":"2024-07-29T17:46:16.000Z","reported_by":null,"title":"fast-xml-parser vulnerable to ReDOS at currency parsing","npm_advisory_id":null,"overview":"### Summary\nA ReDOS exists on currency.js was discovered by Gauss Security Labs R&D team.\n\n### Details\nhttps://github.com/NaturalIntelligence/fast-xml-parser/blob/master/src/v5/valueParsers/currency.js#L10\ncontains a vulnerable regex \n\n### PoC\npass the following string '\\t'.repeat(13337) + '.'\n\n### Impact\nDenial of service during currency parsing in experimental version 5 of fast-xml-parser-library\n\nhttps://gauss-security.com","url":"https://github.com/advisories/GHSA-mpg4-rc92-vx8v"}}} -{"type":"auditAdvisory","data":{"resolution":{"id":1098583,"path":"smartsheet>axios","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"1.6.0","paths":["@axe-core/cli>chromedriver>axios"]},{"version":"1.6.0","paths":["newrelic>@newrelic/security-agent>axios"]},{"version":"1.6.1","paths":["smartsheet>axios"]}],"metadata":null,"vulnerable_versions":">=1.3.2 <=1.7.3","module_name":"axios","severity":"high","github_advisory_id":"GHSA-8hc4-vh64-cxmj","cves":["CVE-2024-39338"],"access":"public","patched_versions":">=1.7.4","cvss":{"score":0,"vectorString":null},"updated":"2024-08-13T19:53:25.000Z","recommendation":"Upgrade to version 1.7.4 or later","cwe":["CWE-918"],"found_by":null,"deleted":null,"id":1098583,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2024-39338\n- https://github.com/axios/axios/releases\n- https://jeffhacks.com/advisories/2024/06/24/CVE-2024-39338.html\n- https://github.com/axios/axios/issues/6463\n- https://github.com/axios/axios/pull/6539\n- https://github.com/axios/axios/pull/6543\n- https://github.com/axios/axios/commit/6b6b605eaf73852fb2dae033f1e786155959de3a\n- https://github.com/axios/axios/releases/tag/v1.7.4\n- https://github.com/advisories/GHSA-8hc4-vh64-cxmj","created":"2024-08-12T15:30:49.000Z","reported_by":null,"title":"Server-Side Request Forgery in axios","npm_advisory_id":null,"overview":"axios 1.7.2 allows SSRF via unexpected behavior where requests for path relative URLs get processed as protocol relative URLs.","url":"https://github.com/advisories/GHSA-8hc4-vh64-cxmj"}}} -{"type":"auditAdvisory","data":{"resolution":{"id":1098593,"path":"redoc-cli>node-libs-browser>crypto-browserify>browserify-sign>elliptic","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"6.5.4","paths":["redoc-cli>node-libs-browser>crypto-browserify>browserify-sign>elliptic"]}],"metadata":null,"vulnerable_versions":">=4.0.0 <=6.5.6","module_name":"elliptic","severity":"low","github_advisory_id":"GHSA-f7q4-pwc6-w24p","cves":["CVE-2024-42459"],"access":"public","patched_versions":">=6.5.7","cvss":{"score":5.3,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},"updated":"2024-08-15T17:53:40.000Z","recommendation":"Upgrade to version 6.5.7 or later","cwe":["CWE-347"],"found_by":null,"deleted":null,"id":1098593,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2024-42459\n- https://github.com/indutny/elliptic/pull/317\n- https://github.com/indutny/elliptic/commit/c0690b36be043ee73c1780ae4b7df48632b11cf9\n- https://github.com/indutny/elliptic/commit/accb61e9c1a005e5c8ff96a8b33893100bb42d11\n- https://github.com/advisories/GHSA-f7q4-pwc6-w24p","created":"2024-08-02T09:31:35.000Z","reported_by":null,"title":"Elliptic's EDDSA missing signature length check","npm_advisory_id":null,"overview":"In the Elliptic package 6.5.6 for Node.js, EDDSA signature malleability occurs because there is a missing signature length check, and thus zero-valued bytes can be removed or appended.","url":"https://github.com/advisories/GHSA-f7q4-pwc6-w24p"}}} -{"type":"auditAdvisory","data":{"resolution":{"id":1098594,"path":"redoc-cli>node-libs-browser>crypto-browserify>browserify-sign>elliptic","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"6.5.4","paths":["redoc-cli>node-libs-browser>crypto-browserify>browserify-sign>elliptic"]}],"metadata":null,"vulnerable_versions":">=2.0.0 <=6.5.6","module_name":"elliptic","severity":"low","github_advisory_id":"GHSA-977x-g7h5-7qgw","cves":["CVE-2024-42460"],"access":"public","patched_versions":">=6.5.7","cvss":{"score":5.3,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},"updated":"2024-08-15T17:53:06.000Z","recommendation":"Upgrade to version 6.5.7 or later","cwe":["CWE-130"],"found_by":null,"deleted":null,"id":1098594,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2024-42460\n- https://github.com/indutny/elliptic/pull/317\n- https://github.com/indutny/elliptic/commit/b6ff1758d9a6d1a7aec177ff6df9f586492a6315\n- https://github.com/indutny/elliptic/commit/accb61e9c1a005e5c8ff96a8b33893100bb42d11\n- https://github.com/advisories/GHSA-977x-g7h5-7qgw","created":"2024-08-02T09:31:35.000Z","reported_by":null,"title":"Elliptic's ECDSA missing check for whether leading bit of r and s is zero","npm_advisory_id":null,"overview":"In the Elliptic package 6.5.6 for Node.js, ECDSA signature malleability occurs because there is a missing check for whether the leading bit of r and s is zero.","url":"https://github.com/advisories/GHSA-977x-g7h5-7qgw"}}} -{"type":"auditAdvisory","data":{"resolution":{"id":1098595,"path":"redoc-cli>node-libs-browser>crypto-browserify>browserify-sign>elliptic","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"6.5.4","paths":["redoc-cli>node-libs-browser>crypto-browserify>browserify-sign>elliptic"]}],"metadata":null,"vulnerable_versions":">=5.2.1 <=6.5.6","module_name":"elliptic","severity":"low","github_advisory_id":"GHSA-49q7-c7j4-3p7m","cves":["CVE-2024-42461"],"access":"public","patched_versions":">=6.5.7","cvss":{"score":5.3,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},"updated":"2024-08-15T17:52:30.000Z","recommendation":"Upgrade to version 6.5.7 or later","cwe":["CWE-347"],"found_by":null,"deleted":null,"id":1098595,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2024-42461\n- https://github.com/indutny/elliptic/pull/317\n- https://github.com/indutny/elliptic/commit/accb61e9c1a005e5c8ff96a8b33893100bb42d11\n- https://github.com/advisories/GHSA-49q7-c7j4-3p7m","created":"2024-08-02T09:31:35.000Z","reported_by":null,"title":"Elliptic allows BER-encoded signatures","npm_advisory_id":null,"overview":"In the Elliptic package 6.5.6 for Node.js, ECDSA signature malleability occurs because BER-encoded signatures are allowed.","url":"https://github.com/advisories/GHSA-49q7-c7j4-3p7m"}}} -{"type":"auditAdvisory","data":{"resolution":{"id":1098618,"path":"jest-cli>jest-util>micromatch","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"4.0.7","paths":["jest-cli>jest-util>micromatch","@types/jest>expect>jest-message-util>micromatch","@typescript-eslint/parser>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","jest>jest-cli>@jest/core>@jest/reporters>@jest/test-result>@jest/console>jest-message-util>micromatch","jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>@jest/test-result>@jest/console>jest-message-util>micromatch","jest-cli>jest-config>@jest/test-sequencer>jest-runner>jest-config>@jest/test-sequencer>@jest/test-result>@jest/console>jest-message-util>micromatch","jest-cli>jest-config>@jest/test-sequencer>jest-runner>jest-runtime>jest-config>@jest/test-sequencer>@jest/test-result>@jest/console>jest-message-util>micromatch","jest-cli>jest-config>@jest/test-sequencer>jest-runner>jest-runtime>jest-config>babel-jest>@jest/transform>jest-haste-map>sane>anymatch>micromatch"]}],"metadata":null,"vulnerable_versions":"<4.0.8","module_name":"micromatch","severity":"moderate","github_advisory_id":"GHSA-952p-6rrq-rcjv","cves":["CVE-2024-4067"],"access":"public","patched_versions":">=4.0.8","cvss":{"score":0,"vectorString":null},"updated":"2024-08-23T17:27:31.000Z","recommendation":"Upgrade to version 4.0.8 or later","cwe":["CWE-1333"],"found_by":null,"deleted":null,"id":1098618,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2024-4067\n- https://github.com/micromatch/micromatch/issues/243\n- https://github.com/micromatch/micromatch/pull/247\n- https://devhub.checkmarx.com/cve-details/CVE-2024-4067\n- https://github.com/micromatch/micromatch/blob/2c56a8604b68c1099e7bc0f807ce0865a339747a/index.js#L448\n- https://github.com/micromatch/micromatch/commit/500d5d6f42f0e8dfa1cb5464c6cb420b1b6aaaa0\n- https://github.com/advisories/GHSA-952p-6rrq-rcjv","created":"2024-05-14T18:30:54.000Z","reported_by":null,"title":"Regular Expression Denial of Service (ReDoS) in micromatch","npm_advisory_id":null,"overview":"The NPM package `micromatch` is vulnerable to Regular Expression Denial of Service (ReDoS). The vulnerability occurs in `micromatch.braces()` in `index.js` because the pattern `.*` will greedily match anything. By passing a malicious payload, the pattern matching will keep backtracking to the input while it doesn't find the closing bracket. As the input size increases, the consumption time will also increase until it causes the application to hang or slow down. There was a merged fix but further testing shows the issue persists. This issue should be mitigated by using a safe pattern that won't start backtracking the regular expression due to greedy matching.\n","url":"https://github.com/advisories/GHSA-952p-6rrq-rcjv"}}} -{"type":"auditAdvisory","data":{"resolution":{"id":1098618,"path":"@types/jest>expect>jest-message-util>micromatch","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"4.0.7","paths":["jest-cli>jest-util>micromatch","@types/jest>expect>jest-message-util>micromatch","@typescript-eslint/parser>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","jest>jest-cli>@jest/core>@jest/reporters>@jest/test-result>@jest/console>jest-message-util>micromatch","jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>@jest/test-result>@jest/console>jest-message-util>micromatch","jest-cli>jest-config>@jest/test-sequencer>jest-runner>jest-config>@jest/test-sequencer>@jest/test-result>@jest/console>jest-message-util>micromatch","jest-cli>jest-config>@jest/test-sequencer>jest-runner>jest-runtime>jest-config>@jest/test-sequencer>@jest/test-result>@jest/console>jest-message-util>micromatch","jest-cli>jest-config>@jest/test-sequencer>jest-runner>jest-runtime>jest-config>babel-jest>@jest/transform>jest-haste-map>sane>anymatch>micromatch"]}],"metadata":null,"vulnerable_versions":"<4.0.8","module_name":"micromatch","severity":"moderate","github_advisory_id":"GHSA-952p-6rrq-rcjv","cves":["CVE-2024-4067"],"access":"public","patched_versions":">=4.0.8","cvss":{"score":0,"vectorString":null},"updated":"2024-08-23T17:27:31.000Z","recommendation":"Upgrade to version 4.0.8 or later","cwe":["CWE-1333"],"found_by":null,"deleted":null,"id":1098618,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2024-4067\n- https://github.com/micromatch/micromatch/issues/243\n- https://github.com/micromatch/micromatch/pull/247\n- https://devhub.checkmarx.com/cve-details/CVE-2024-4067\n- https://github.com/micromatch/micromatch/blob/2c56a8604b68c1099e7bc0f807ce0865a339747a/index.js#L448\n- https://github.com/micromatch/micromatch/commit/500d5d6f42f0e8dfa1cb5464c6cb420b1b6aaaa0\n- https://github.com/advisories/GHSA-952p-6rrq-rcjv","created":"2024-05-14T18:30:54.000Z","reported_by":null,"title":"Regular Expression Denial of Service (ReDoS) in micromatch","npm_advisory_id":null,"overview":"The NPM package `micromatch` is vulnerable to Regular Expression Denial of Service (ReDoS). The vulnerability occurs in `micromatch.braces()` in `index.js` because the pattern `.*` will greedily match anything. By passing a malicious payload, the pattern matching will keep backtracking to the input while it doesn't find the closing bracket. As the input size increases, the consumption time will also increase until it causes the application to hang or slow down. There was a merged fix but further testing shows the issue persists. This issue should be mitigated by using a safe pattern that won't start backtracking the regular expression due to greedy matching.\n","url":"https://github.com/advisories/GHSA-952p-6rrq-rcjv"}}} -{"type":"auditAdvisory","data":{"resolution":{"id":1098618,"path":"@typescript-eslint/parser>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"4.0.7","paths":["jest-cli>jest-util>micromatch","@types/jest>expect>jest-message-util>micromatch","@typescript-eslint/parser>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","jest>jest-cli>@jest/core>@jest/reporters>@jest/test-result>@jest/console>jest-message-util>micromatch","jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>@jest/test-result>@jest/console>jest-message-util>micromatch","jest-cli>jest-config>@jest/test-sequencer>jest-runner>jest-config>@jest/test-sequencer>@jest/test-result>@jest/console>jest-message-util>micromatch","jest-cli>jest-config>@jest/test-sequencer>jest-runner>jest-runtime>jest-config>@jest/test-sequencer>@jest/test-result>@jest/console>jest-message-util>micromatch","jest-cli>jest-config>@jest/test-sequencer>jest-runner>jest-runtime>jest-config>babel-jest>@jest/transform>jest-haste-map>sane>anymatch>micromatch"]}],"metadata":null,"vulnerable_versions":"<4.0.8","module_name":"micromatch","severity":"moderate","github_advisory_id":"GHSA-952p-6rrq-rcjv","cves":["CVE-2024-4067"],"access":"public","patched_versions":">=4.0.8","cvss":{"score":0,"vectorString":null},"updated":"2024-08-23T17:27:31.000Z","recommendation":"Upgrade to version 4.0.8 or later","cwe":["CWE-1333"],"found_by":null,"deleted":null,"id":1098618,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2024-4067\n- https://github.com/micromatch/micromatch/issues/243\n- https://github.com/micromatch/micromatch/pull/247\n- https://devhub.checkmarx.com/cve-details/CVE-2024-4067\n- https://github.com/micromatch/micromatch/blob/2c56a8604b68c1099e7bc0f807ce0865a339747a/index.js#L448\n- https://github.com/micromatch/micromatch/commit/500d5d6f42f0e8dfa1cb5464c6cb420b1b6aaaa0\n- https://github.com/advisories/GHSA-952p-6rrq-rcjv","created":"2024-05-14T18:30:54.000Z","reported_by":null,"title":"Regular Expression Denial of Service (ReDoS) in micromatch","npm_advisory_id":null,"overview":"The NPM package `micromatch` is vulnerable to Regular Expression Denial of Service (ReDoS). The vulnerability occurs in `micromatch.braces()` in `index.js` because the pattern `.*` will greedily match anything. By passing a malicious payload, the pattern matching will keep backtracking to the input while it doesn't find the closing bracket. As the input size increases, the consumption time will also increase until it causes the application to hang or slow down. There was a merged fix but further testing shows the issue persists. This issue should be mitigated by using a safe pattern that won't start backtracking the regular expression due to greedy matching.\n","url":"https://github.com/advisories/GHSA-952p-6rrq-rcjv"}}} -{"type":"auditAdvisory","data":{"resolution":{"id":1098618,"path":"@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"4.0.7","paths":["jest-cli>jest-util>micromatch","@types/jest>expect>jest-message-util>micromatch","@typescript-eslint/parser>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","jest>jest-cli>@jest/core>@jest/reporters>@jest/test-result>@jest/console>jest-message-util>micromatch","jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>@jest/test-result>@jest/console>jest-message-util>micromatch","jest-cli>jest-config>@jest/test-sequencer>jest-runner>jest-config>@jest/test-sequencer>@jest/test-result>@jest/console>jest-message-util>micromatch","jest-cli>jest-config>@jest/test-sequencer>jest-runner>jest-runtime>jest-config>@jest/test-sequencer>@jest/test-result>@jest/console>jest-message-util>micromatch","jest-cli>jest-config>@jest/test-sequencer>jest-runner>jest-runtime>jest-config>babel-jest>@jest/transform>jest-haste-map>sane>anymatch>micromatch"]}],"metadata":null,"vulnerable_versions":"<4.0.8","module_name":"micromatch","severity":"moderate","github_advisory_id":"GHSA-952p-6rrq-rcjv","cves":["CVE-2024-4067"],"access":"public","patched_versions":">=4.0.8","cvss":{"score":0,"vectorString":null},"updated":"2024-08-23T17:27:31.000Z","recommendation":"Upgrade to version 4.0.8 or later","cwe":["CWE-1333"],"found_by":null,"deleted":null,"id":1098618,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2024-4067\n- https://github.com/micromatch/micromatch/issues/243\n- https://github.com/micromatch/micromatch/pull/247\n- https://devhub.checkmarx.com/cve-details/CVE-2024-4067\n- https://github.com/micromatch/micromatch/blob/2c56a8604b68c1099e7bc0f807ce0865a339747a/index.js#L448\n- https://github.com/micromatch/micromatch/commit/500d5d6f42f0e8dfa1cb5464c6cb420b1b6aaaa0\n- https://github.com/advisories/GHSA-952p-6rrq-rcjv","created":"2024-05-14T18:30:54.000Z","reported_by":null,"title":"Regular Expression Denial of Service (ReDoS) in micromatch","npm_advisory_id":null,"overview":"The NPM package `micromatch` is vulnerable to Regular Expression Denial of Service (ReDoS). The vulnerability occurs in `micromatch.braces()` in `index.js` because the pattern `.*` will greedily match anything. By passing a malicious payload, the pattern matching will keep backtracking to the input while it doesn't find the closing bracket. As the input size increases, the consumption time will also increase until it causes the application to hang or slow down. There was a merged fix but further testing shows the issue persists. This issue should be mitigated by using a safe pattern that won't start backtracking the regular expression due to greedy matching.\n","url":"https://github.com/advisories/GHSA-952p-6rrq-rcjv"}}} -{"type":"auditAdvisory","data":{"resolution":{"id":1098618,"path":"@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"4.0.7","paths":["jest-cli>jest-util>micromatch","@types/jest>expect>jest-message-util>micromatch","@typescript-eslint/parser>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","jest>jest-cli>@jest/core>@jest/reporters>@jest/test-result>@jest/console>jest-message-util>micromatch","jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>@jest/test-result>@jest/console>jest-message-util>micromatch","jest-cli>jest-config>@jest/test-sequencer>jest-runner>jest-config>@jest/test-sequencer>@jest/test-result>@jest/console>jest-message-util>micromatch","jest-cli>jest-config>@jest/test-sequencer>jest-runner>jest-runtime>jest-config>@jest/test-sequencer>@jest/test-result>@jest/console>jest-message-util>micromatch","jest-cli>jest-config>@jest/test-sequencer>jest-runner>jest-runtime>jest-config>babel-jest>@jest/transform>jest-haste-map>sane>anymatch>micromatch"]}],"metadata":null,"vulnerable_versions":"<4.0.8","module_name":"micromatch","severity":"moderate","github_advisory_id":"GHSA-952p-6rrq-rcjv","cves":["CVE-2024-4067"],"access":"public","patched_versions":">=4.0.8","cvss":{"score":0,"vectorString":null},"updated":"2024-08-23T17:27:31.000Z","recommendation":"Upgrade to version 4.0.8 or later","cwe":["CWE-1333"],"found_by":null,"deleted":null,"id":1098618,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2024-4067\n- https://github.com/micromatch/micromatch/issues/243\n- https://github.com/micromatch/micromatch/pull/247\n- https://devhub.checkmarx.com/cve-details/CVE-2024-4067\n- https://github.com/micromatch/micromatch/blob/2c56a8604b68c1099e7bc0f807ce0865a339747a/index.js#L448\n- https://github.com/micromatch/micromatch/commit/500d5d6f42f0e8dfa1cb5464c6cb420b1b6aaaa0\n- https://github.com/advisories/GHSA-952p-6rrq-rcjv","created":"2024-05-14T18:30:54.000Z","reported_by":null,"title":"Regular Expression Denial of Service (ReDoS) in micromatch","npm_advisory_id":null,"overview":"The NPM package `micromatch` is vulnerable to Regular Expression Denial of Service (ReDoS). The vulnerability occurs in `micromatch.braces()` in `index.js` because the pattern `.*` will greedily match anything. By passing a malicious payload, the pattern matching will keep backtracking to the input while it doesn't find the closing bracket. As the input size increases, the consumption time will also increase until it causes the application to hang or slow down. There was a merged fix but further testing shows the issue persists. This issue should be mitigated by using a safe pattern that won't start backtracking the regular expression due to greedy matching.\n","url":"https://github.com/advisories/GHSA-952p-6rrq-rcjv"}}} -{"type":"auditAdvisory","data":{"resolution":{"id":1098618,"path":"jest>jest-cli>@jest/core>@jest/reporters>@jest/test-result>@jest/console>jest-message-util>micromatch","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"4.0.7","paths":["jest-cli>jest-util>micromatch","@types/jest>expect>jest-message-util>micromatch","@typescript-eslint/parser>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","jest>jest-cli>@jest/core>@jest/reporters>@jest/test-result>@jest/console>jest-message-util>micromatch","jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>@jest/test-result>@jest/console>jest-message-util>micromatch","jest-cli>jest-config>@jest/test-sequencer>jest-runner>jest-config>@jest/test-sequencer>@jest/test-result>@jest/console>jest-message-util>micromatch","jest-cli>jest-config>@jest/test-sequencer>jest-runner>jest-runtime>jest-config>@jest/test-sequencer>@jest/test-result>@jest/console>jest-message-util>micromatch","jest-cli>jest-config>@jest/test-sequencer>jest-runner>jest-runtime>jest-config>babel-jest>@jest/transform>jest-haste-map>sane>anymatch>micromatch"]}],"metadata":null,"vulnerable_versions":"<4.0.8","module_name":"micromatch","severity":"moderate","github_advisory_id":"GHSA-952p-6rrq-rcjv","cves":["CVE-2024-4067"],"access":"public","patched_versions":">=4.0.8","cvss":{"score":0,"vectorString":null},"updated":"2024-08-23T17:27:31.000Z","recommendation":"Upgrade to version 4.0.8 or later","cwe":["CWE-1333"],"found_by":null,"deleted":null,"id":1098618,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2024-4067\n- https://github.com/micromatch/micromatch/issues/243\n- https://github.com/micromatch/micromatch/pull/247\n- https://devhub.checkmarx.com/cve-details/CVE-2024-4067\n- https://github.com/micromatch/micromatch/blob/2c56a8604b68c1099e7bc0f807ce0865a339747a/index.js#L448\n- https://github.com/micromatch/micromatch/commit/500d5d6f42f0e8dfa1cb5464c6cb420b1b6aaaa0\n- https://github.com/advisories/GHSA-952p-6rrq-rcjv","created":"2024-05-14T18:30:54.000Z","reported_by":null,"title":"Regular Expression Denial of Service (ReDoS) in micromatch","npm_advisory_id":null,"overview":"The NPM package `micromatch` is vulnerable to Regular Expression Denial of Service (ReDoS). The vulnerability occurs in `micromatch.braces()` in `index.js` because the pattern `.*` will greedily match anything. By passing a malicious payload, the pattern matching will keep backtracking to the input while it doesn't find the closing bracket. As the input size increases, the consumption time will also increase until it causes the application to hang or slow down. There was a merged fix but further testing shows the issue persists. This issue should be mitigated by using a safe pattern that won't start backtracking the regular expression due to greedy matching.\n","url":"https://github.com/advisories/GHSA-952p-6rrq-rcjv"}}} -{"type":"auditAdvisory","data":{"resolution":{"id":1098618,"path":"jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>@jest/test-result>@jest/console>jest-message-util>micromatch","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"4.0.7","paths":["jest-cli>jest-util>micromatch","@types/jest>expect>jest-message-util>micromatch","@typescript-eslint/parser>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","jest>jest-cli>@jest/core>@jest/reporters>@jest/test-result>@jest/console>jest-message-util>micromatch","jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>@jest/test-result>@jest/console>jest-message-util>micromatch","jest-cli>jest-config>@jest/test-sequencer>jest-runner>jest-config>@jest/test-sequencer>@jest/test-result>@jest/console>jest-message-util>micromatch","jest-cli>jest-config>@jest/test-sequencer>jest-runner>jest-runtime>jest-config>@jest/test-sequencer>@jest/test-result>@jest/console>jest-message-util>micromatch","jest-cli>jest-config>@jest/test-sequencer>jest-runner>jest-runtime>jest-config>babel-jest>@jest/transform>jest-haste-map>sane>anymatch>micromatch"]}],"metadata":null,"vulnerable_versions":"<4.0.8","module_name":"micromatch","severity":"moderate","github_advisory_id":"GHSA-952p-6rrq-rcjv","cves":["CVE-2024-4067"],"access":"public","patched_versions":">=4.0.8","cvss":{"score":0,"vectorString":null},"updated":"2024-08-23T17:27:31.000Z","recommendation":"Upgrade to version 4.0.8 or later","cwe":["CWE-1333"],"found_by":null,"deleted":null,"id":1098618,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2024-4067\n- https://github.com/micromatch/micromatch/issues/243\n- https://github.com/micromatch/micromatch/pull/247\n- https://devhub.checkmarx.com/cve-details/CVE-2024-4067\n- https://github.com/micromatch/micromatch/blob/2c56a8604b68c1099e7bc0f807ce0865a339747a/index.js#L448\n- https://github.com/micromatch/micromatch/commit/500d5d6f42f0e8dfa1cb5464c6cb420b1b6aaaa0\n- https://github.com/advisories/GHSA-952p-6rrq-rcjv","created":"2024-05-14T18:30:54.000Z","reported_by":null,"title":"Regular Expression Denial of Service (ReDoS) in micromatch","npm_advisory_id":null,"overview":"The NPM package `micromatch` is vulnerable to Regular Expression Denial of Service (ReDoS). The vulnerability occurs in `micromatch.braces()` in `index.js` because the pattern `.*` will greedily match anything. By passing a malicious payload, the pattern matching will keep backtracking to the input while it doesn't find the closing bracket. As the input size increases, the consumption time will also increase until it causes the application to hang or slow down. There was a merged fix but further testing shows the issue persists. This issue should be mitigated by using a safe pattern that won't start backtracking the regular expression due to greedy matching.\n","url":"https://github.com/advisories/GHSA-952p-6rrq-rcjv"}}} -{"type":"auditAdvisory","data":{"resolution":{"id":1098618,"path":"jest-cli>jest-config>@jest/test-sequencer>jest-runner>jest-config>@jest/test-sequencer>@jest/test-result>@jest/console>jest-message-util>micromatch","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"4.0.7","paths":["jest-cli>jest-util>micromatch","@types/jest>expect>jest-message-util>micromatch","@typescript-eslint/parser>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","jest>jest-cli>@jest/core>@jest/reporters>@jest/test-result>@jest/console>jest-message-util>micromatch","jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>@jest/test-result>@jest/console>jest-message-util>micromatch","jest-cli>jest-config>@jest/test-sequencer>jest-runner>jest-config>@jest/test-sequencer>@jest/test-result>@jest/console>jest-message-util>micromatch","jest-cli>jest-config>@jest/test-sequencer>jest-runner>jest-runtime>jest-config>@jest/test-sequencer>@jest/test-result>@jest/console>jest-message-util>micromatch","jest-cli>jest-config>@jest/test-sequencer>jest-runner>jest-runtime>jest-config>babel-jest>@jest/transform>jest-haste-map>sane>anymatch>micromatch"]}],"metadata":null,"vulnerable_versions":"<4.0.8","module_name":"micromatch","severity":"moderate","github_advisory_id":"GHSA-952p-6rrq-rcjv","cves":["CVE-2024-4067"],"access":"public","patched_versions":">=4.0.8","cvss":{"score":0,"vectorString":null},"updated":"2024-08-23T17:27:31.000Z","recommendation":"Upgrade to version 4.0.8 or later","cwe":["CWE-1333"],"found_by":null,"deleted":null,"id":1098618,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2024-4067\n- https://github.com/micromatch/micromatch/issues/243\n- https://github.com/micromatch/micromatch/pull/247\n- https://devhub.checkmarx.com/cve-details/CVE-2024-4067\n- https://github.com/micromatch/micromatch/blob/2c56a8604b68c1099e7bc0f807ce0865a339747a/index.js#L448\n- https://github.com/micromatch/micromatch/commit/500d5d6f42f0e8dfa1cb5464c6cb420b1b6aaaa0\n- https://github.com/advisories/GHSA-952p-6rrq-rcjv","created":"2024-05-14T18:30:54.000Z","reported_by":null,"title":"Regular Expression Denial of Service (ReDoS) in micromatch","npm_advisory_id":null,"overview":"The NPM package `micromatch` is vulnerable to Regular Expression Denial of Service (ReDoS). The vulnerability occurs in `micromatch.braces()` in `index.js` because the pattern `.*` will greedily match anything. By passing a malicious payload, the pattern matching will keep backtracking to the input while it doesn't find the closing bracket. As the input size increases, the consumption time will also increase until it causes the application to hang or slow down. There was a merged fix but further testing shows the issue persists. This issue should be mitigated by using a safe pattern that won't start backtracking the regular expression due to greedy matching.\n","url":"https://github.com/advisories/GHSA-952p-6rrq-rcjv"}}} -{"type":"auditAdvisory","data":{"resolution":{"id":1098618,"path":"jest-cli>jest-config>@jest/test-sequencer>jest-runner>jest-runtime>jest-config>@jest/test-sequencer>@jest/test-result>@jest/console>jest-message-util>micromatch","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"4.0.7","paths":["jest-cli>jest-util>micromatch","@types/jest>expect>jest-message-util>micromatch","@typescript-eslint/parser>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","jest>jest-cli>@jest/core>@jest/reporters>@jest/test-result>@jest/console>jest-message-util>micromatch","jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>@jest/test-result>@jest/console>jest-message-util>micromatch","jest-cli>jest-config>@jest/test-sequencer>jest-runner>jest-config>@jest/test-sequencer>@jest/test-result>@jest/console>jest-message-util>micromatch","jest-cli>jest-config>@jest/test-sequencer>jest-runner>jest-runtime>jest-config>@jest/test-sequencer>@jest/test-result>@jest/console>jest-message-util>micromatch","jest-cli>jest-config>@jest/test-sequencer>jest-runner>jest-runtime>jest-config>babel-jest>@jest/transform>jest-haste-map>sane>anymatch>micromatch"]}],"metadata":null,"vulnerable_versions":"<4.0.8","module_name":"micromatch","severity":"moderate","github_advisory_id":"GHSA-952p-6rrq-rcjv","cves":["CVE-2024-4067"],"access":"public","patched_versions":">=4.0.8","cvss":{"score":0,"vectorString":null},"updated":"2024-08-23T17:27:31.000Z","recommendation":"Upgrade to version 4.0.8 or later","cwe":["CWE-1333"],"found_by":null,"deleted":null,"id":1098618,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2024-4067\n- https://github.com/micromatch/micromatch/issues/243\n- https://github.com/micromatch/micromatch/pull/247\n- https://devhub.checkmarx.com/cve-details/CVE-2024-4067\n- https://github.com/micromatch/micromatch/blob/2c56a8604b68c1099e7bc0f807ce0865a339747a/index.js#L448\n- https://github.com/micromatch/micromatch/commit/500d5d6f42f0e8dfa1cb5464c6cb420b1b6aaaa0\n- https://github.com/advisories/GHSA-952p-6rrq-rcjv","created":"2024-05-14T18:30:54.000Z","reported_by":null,"title":"Regular Expression Denial of Service (ReDoS) in micromatch","npm_advisory_id":null,"overview":"The NPM package `micromatch` is vulnerable to Regular Expression Denial of Service (ReDoS). The vulnerability occurs in `micromatch.braces()` in `index.js` because the pattern `.*` will greedily match anything. By passing a malicious payload, the pattern matching will keep backtracking to the input while it doesn't find the closing bracket. As the input size increases, the consumption time will also increase until it causes the application to hang or slow down. There was a merged fix but further testing shows the issue persists. This issue should be mitigated by using a safe pattern that won't start backtracking the regular expression due to greedy matching.\n","url":"https://github.com/advisories/GHSA-952p-6rrq-rcjv"}}} -{"type":"auditAdvisory","data":{"resolution":{"id":1094902,"path":"@axe-core/cli>chromedriver","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"109.0.0","paths":["@axe-core/cli>chromedriver"]}],"metadata":null,"vulnerable_versions":"<119.0.1","module_name":"chromedriver","severity":"moderate","github_advisory_id":"GHSA-hm92-vgmw-qfmx","cves":["CVE-2023-26156"],"access":"public","patched_versions":">=119.0.1","cvss":{"score":5.6,"vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L"},"updated":"2023-11-17T22:12:01.000Z","recommendation":"Upgrade to version 119.0.1 or later","cwe":["CWE-78"],"found_by":null,"deleted":null,"id":1094902,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2023-26156\n- https://github.com/giggio/node-chromedriver/commit/de961e34e023afcf4fa5c0faeeec69aaa6c3c815\n- https://gist.github.com/mcoimbra/47b1da554a80795c45126d51e41b2b18\n- https://security.snyk.io/vuln/SNYK-JS-CHROMEDRIVER-6049539\n- https://github.com/advisories/GHSA-hm92-vgmw-qfmx","created":"2023-11-09T06:30:28.000Z","reported_by":null,"title":"chromedriver Command Injection vulnerability","npm_advisory_id":null,"overview":"Versions of the package chromedriver before 119.0.1 are vulnerable to Command Injection when setting the chromedriver.path to an arbitrary system binary. This could lead to unauthorized access and potentially malicious actions on the host system.\n\n**Note:**\n\nAn attacker must have access to the system running the vulnerable chromedriver library to exploit it. The success of exploitation also depends on the permissions and privileges of the process running chromedriver. ","url":"https://github.com/advisories/GHSA-hm92-vgmw-qfmx"}}} +{"type":"auditAdvisory","data":{"resolution":{"id":1098583,"path":"smartsheet>axios","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"1.6.0","paths":["newrelic>@newrelic/security-agent>axios"]},{"version":"1.6.1","paths":["smartsheet>axios"]}],"metadata":null,"vulnerable_versions":">=1.3.2 <=1.7.3","module_name":"axios","severity":"high","github_advisory_id":"GHSA-8hc4-vh64-cxmj","cves":["CVE-2024-39338"],"access":"public","patched_versions":">=1.7.4","cvss":{"score":0,"vectorString":null},"updated":"2024-08-13T19:53:25.000Z","recommendation":"Upgrade to version 1.7.4 or later","cwe":["CWE-918"],"found_by":null,"deleted":null,"id":1098583,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2024-39338\n- https://github.com/axios/axios/releases\n- https://jeffhacks.com/advisories/2024/06/24/CVE-2024-39338.html\n- https://github.com/axios/axios/issues/6463\n- https://github.com/axios/axios/pull/6539\n- https://github.com/axios/axios/pull/6543\n- https://github.com/axios/axios/commit/6b6b605eaf73852fb2dae033f1e786155959de3a\n- https://github.com/axios/axios/releases/tag/v1.7.4\n- https://github.com/advisories/GHSA-8hc4-vh64-cxmj","created":"2024-08-12T15:30:49.000Z","reported_by":null,"title":"Server-Side Request Forgery in axios","npm_advisory_id":null,"overview":"axios 1.7.2 allows SSRF via unexpected behavior where requests for path relative URLs get processed as protocol relative URLs.","url":"https://github.com/advisories/GHSA-8hc4-vh64-cxmj"}}} {"type":"auditAdvisory","data":{"resolution":{"id":1096410,"path":"xml2json>hoek","dev":false,"bundled":false,"optional":false},"advisory":{"findings":[{"version":"4.2.1","paths":["xml2json>hoek"]},{"version":"5.0.4","paths":["xml2json>joi>hoek"]},{"version":"6.1.3","paths":["xml2json>joi>topo>hoek"]}],"metadata":null,"vulnerable_versions":"<=6.1.3","module_name":"hoek","severity":"high","github_advisory_id":"GHSA-c429-5p7v-vgjp","cves":["CVE-2020-36604"],"access":"public","patched_versions":"<0.0.0","cvss":{"score":8.1,"vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"},"updated":"2024-02-07T18:59:37.000Z","recommendation":"None","cwe":["CWE-1321"],"found_by":null,"deleted":null,"id":1096410,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2020-36604\n- https://github.com/hapijs/hoek/issues/352\n- https://github.com/hapijs/hoek/commit/4d0804bc6135ad72afdc5e1ec002b935b2f5216a\n- https://github.com/hapijs/hoek/commit/948baf98634a5c206875b67d11368f133034fa90\n- https://github.com/advisories/GHSA-c429-5p7v-vgjp","created":"2022-09-25T00:00:27.000Z","reported_by":null,"title":"hoek subject to prototype pollution via the clone function.","npm_advisory_id":null,"overview":"hoek versions prior to 8.5.1, and 9.x prior to 9.0.3 are vulnerable to prototype pollution in the clone function. If an object with the __proto__ key is passed to clone() the key is converted to a prototype. This issue has been patched in version 9.0.3, and backported to 8.5.1. ","url":"https://github.com/advisories/GHSA-c429-5p7v-vgjp"}}} {"type":"auditAdvisory","data":{"resolution":{"id":1096410,"path":"xml2json>joi>hoek","dev":false,"bundled":false,"optional":false},"advisory":{"findings":[{"version":"4.2.1","paths":["xml2json>hoek"]},{"version":"5.0.4","paths":["xml2json>joi>hoek"]},{"version":"6.1.3","paths":["xml2json>joi>topo>hoek"]}],"metadata":null,"vulnerable_versions":"<=6.1.3","module_name":"hoek","severity":"high","github_advisory_id":"GHSA-c429-5p7v-vgjp","cves":["CVE-2020-36604"],"access":"public","patched_versions":"<0.0.0","cvss":{"score":8.1,"vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"},"updated":"2024-02-07T18:59:37.000Z","recommendation":"None","cwe":["CWE-1321"],"found_by":null,"deleted":null,"id":1096410,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2020-36604\n- https://github.com/hapijs/hoek/issues/352\n- https://github.com/hapijs/hoek/commit/4d0804bc6135ad72afdc5e1ec002b935b2f5216a\n- https://github.com/hapijs/hoek/commit/948baf98634a5c206875b67d11368f133034fa90\n- https://github.com/advisories/GHSA-c429-5p7v-vgjp","created":"2022-09-25T00:00:27.000Z","reported_by":null,"title":"hoek subject to prototype pollution via the clone function.","npm_advisory_id":null,"overview":"hoek versions prior to 8.5.1, and 9.x prior to 9.0.3 are vulnerable to prototype pollution in the clone function. If an object with the __proto__ key is passed to clone() the key is converted to a prototype. This issue has been patched in version 9.0.3, and backported to 8.5.1. ","url":"https://github.com/advisories/GHSA-c429-5p7v-vgjp"}}} {"type":"auditAdvisory","data":{"resolution":{"id":1096410,"path":"xml2json>joi>topo>hoek","dev":false,"bundled":false,"optional":false},"advisory":{"findings":[{"version":"4.2.1","paths":["xml2json>hoek"]},{"version":"5.0.4","paths":["xml2json>joi>hoek"]},{"version":"6.1.3","paths":["xml2json>joi>topo>hoek"]}],"metadata":null,"vulnerable_versions":"<=6.1.3","module_name":"hoek","severity":"high","github_advisory_id":"GHSA-c429-5p7v-vgjp","cves":["CVE-2020-36604"],"access":"public","patched_versions":"<0.0.0","cvss":{"score":8.1,"vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"},"updated":"2024-02-07T18:59:37.000Z","recommendation":"None","cwe":["CWE-1321"],"found_by":null,"deleted":null,"id":1096410,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2020-36604\n- https://github.com/hapijs/hoek/issues/352\n- https://github.com/hapijs/hoek/commit/4d0804bc6135ad72afdc5e1ec002b935b2f5216a\n- https://github.com/hapijs/hoek/commit/948baf98634a5c206875b67d11368f133034fa90\n- https://github.com/advisories/GHSA-c429-5p7v-vgjp","created":"2022-09-25T00:00:27.000Z","reported_by":null,"title":"hoek subject to prototype pollution via the clone function.","npm_advisory_id":null,"overview":"hoek versions prior to 8.5.1, and 9.x prior to 9.0.3 are vulnerable to prototype pollution in the clone function. If an object with the __proto__ key is passed to clone() the key is converted to a prototype. This issue has been patched in version 9.0.3, and backported to 8.5.1. ","url":"https://github.com/advisories/GHSA-c429-5p7v-vgjp"}}} -{"type":"auditAdvisory","data":{"resolution":{"id":1098583,"path":"@axe-core/cli>chromedriver>axios","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"1.6.0","paths":["@axe-core/cli>chromedriver>axios"]},{"version":"1.6.0","paths":["newrelic>@newrelic/security-agent>axios"]},{"version":"1.6.1","paths":["smartsheet>axios"]}],"metadata":null,"vulnerable_versions":">=1.3.2 <=1.7.3","module_name":"axios","severity":"high","github_advisory_id":"GHSA-8hc4-vh64-cxmj","cves":["CVE-2024-39338"],"access":"public","patched_versions":">=1.7.4","cvss":{"score":0,"vectorString":null},"updated":"2024-08-13T19:53:25.000Z","recommendation":"Upgrade to version 1.7.4 or later","cwe":["CWE-918"],"found_by":null,"deleted":null,"id":1098583,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2024-39338\n- https://github.com/axios/axios/releases\n- https://jeffhacks.com/advisories/2024/06/24/CVE-2024-39338.html\n- https://github.com/axios/axios/issues/6463\n- https://github.com/axios/axios/pull/6539\n- https://github.com/axios/axios/pull/6543\n- https://github.com/axios/axios/commit/6b6b605eaf73852fb2dae033f1e786155959de3a\n- https://github.com/axios/axios/releases/tag/v1.7.4\n- https://github.com/advisories/GHSA-8hc4-vh64-cxmj","created":"2024-08-12T15:30:49.000Z","reported_by":null,"title":"Server-Side Request Forgery in axios","npm_advisory_id":null,"overview":"axios 1.7.2 allows SSRF via unexpected behavior where requests for path relative URLs get processed as protocol relative URLs.","url":"https://github.com/advisories/GHSA-8hc4-vh64-cxmj"}}} From 15caf4f0adf1c6db9816d33718a2a5e470153b0e Mon Sep 17 00:00:00 2001 From: GarrettEHill Date: Fri, 23 Aug 2024 15:39:53 -0700 Subject: [PATCH 041/138] Update yarn-audit-known-issues --- frontend/yarn-audit-known-issues | 80 ++++++++++++++++---------------- 1 file changed, 40 insertions(+), 40 deletions(-) diff --git a/frontend/yarn-audit-known-issues b/frontend/yarn-audit-known-issues index b36de4ba33..0084f6081a 100644 --- a/frontend/yarn-audit-known-issues +++ b/frontend/yarn-audit-known-issues @@ -1,43 +1,43 @@ {"type":"auditAdvisory","data":{"resolution":{"id":1097682,"path":"react-scripts>jest>@jest/core>jest-config>jest-environment-jsdom>jsdom>tough-cookie","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"4.0.0","paths":["react-scripts>jest>@jest/core>jest-config>jest-environment-jsdom>jsdom>tough-cookie","react-scripts>jest>jest-cli>@jest/core>jest-config>jest-environment-jsdom>jsdom>tough-cookie","react-scripts>jest>jest-cli>@jest/core>jest-config>jest-runner>jest-environment-jsdom>jsdom>tough-cookie"]}],"metadata":null,"vulnerable_versions":"<4.1.3","module_name":"tough-cookie","severity":"moderate","github_advisory_id":"GHSA-72xf-g2v4-qvf3","cves":["CVE-2023-26136"],"access":"public","patched_versions":">=4.1.3","cvss":{"score":6.5,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"},"updated":"2024-06-21T21:33:53.000Z","recommendation":"Upgrade to version 4.1.3 or later","cwe":["CWE-1321"],"found_by":null,"deleted":null,"id":1097682,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2023-26136\n- https://github.com/salesforce/tough-cookie/issues/282\n- https://github.com/salesforce/tough-cookie/commit/12d474791bb856004e858fdb1c47b7608d09cf6e\n- https://github.com/salesforce/tough-cookie/releases/tag/v4.1.3\n- https://security.snyk.io/vuln/SNYK-JS-TOUGHCOOKIE-5672873\n- https://lists.debian.org/debian-lts-announce/2023/07/msg00010.html\n- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3HUE6ZR5SL73KHL7XUPAOEL6SB7HUDT2\n- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6PVVPNSAGSDS63HQ74PJ7MZ3MU5IYNVZ\n- https://security.netapp.com/advisory/ntap-20240621-0006\n- https://github.com/advisories/GHSA-72xf-g2v4-qvf3","created":"2023-07-01T06:30:16.000Z","reported_by":null,"title":"tough-cookie Prototype Pollution vulnerability","npm_advisory_id":null,"overview":"Versions of the package tough-cookie before 4.1.3 are vulnerable to Prototype Pollution due to improper handling of Cookies when using CookieJar in `rejectPublicSuffixes=false` mode. This issue arises from the manner in which the objects are initialized.","url":"https://github.com/advisories/GHSA-72xf-g2v4-qvf3"}}} {"type":"auditAdvisory","data":{"resolution":{"id":1097682,"path":"react-scripts>jest>jest-cli>@jest/core>jest-config>jest-environment-jsdom>jsdom>tough-cookie","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"4.0.0","paths":["react-scripts>jest>@jest/core>jest-config>jest-environment-jsdom>jsdom>tough-cookie","react-scripts>jest>jest-cli>@jest/core>jest-config>jest-environment-jsdom>jsdom>tough-cookie","react-scripts>jest>jest-cli>@jest/core>jest-config>jest-runner>jest-environment-jsdom>jsdom>tough-cookie"]}],"metadata":null,"vulnerable_versions":"<4.1.3","module_name":"tough-cookie","severity":"moderate","github_advisory_id":"GHSA-72xf-g2v4-qvf3","cves":["CVE-2023-26136"],"access":"public","patched_versions":">=4.1.3","cvss":{"score":6.5,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"},"updated":"2024-06-21T21:33:53.000Z","recommendation":"Upgrade to version 4.1.3 or later","cwe":["CWE-1321"],"found_by":null,"deleted":null,"id":1097682,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2023-26136\n- https://github.com/salesforce/tough-cookie/issues/282\n- https://github.com/salesforce/tough-cookie/commit/12d474791bb856004e858fdb1c47b7608d09cf6e\n- https://github.com/salesforce/tough-cookie/releases/tag/v4.1.3\n- https://security.snyk.io/vuln/SNYK-JS-TOUGHCOOKIE-5672873\n- https://lists.debian.org/debian-lts-announce/2023/07/msg00010.html\n- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3HUE6ZR5SL73KHL7XUPAOEL6SB7HUDT2\n- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6PVVPNSAGSDS63HQ74PJ7MZ3MU5IYNVZ\n- https://security.netapp.com/advisory/ntap-20240621-0006\n- https://github.com/advisories/GHSA-72xf-g2v4-qvf3","created":"2023-07-01T06:30:16.000Z","reported_by":null,"title":"tough-cookie Prototype Pollution vulnerability","npm_advisory_id":null,"overview":"Versions of the package tough-cookie before 4.1.3 are vulnerable to Prototype Pollution due to improper handling of Cookies when using CookieJar in `rejectPublicSuffixes=false` mode. This issue arises from the manner in which the objects are initialized.","url":"https://github.com/advisories/GHSA-72xf-g2v4-qvf3"}}} {"type":"auditAdvisory","data":{"resolution":{"id":1097682,"path":"react-scripts>jest>jest-cli>@jest/core>jest-config>jest-runner>jest-environment-jsdom>jsdom>tough-cookie","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"4.0.0","paths":["react-scripts>jest>@jest/core>jest-config>jest-environment-jsdom>jsdom>tough-cookie","react-scripts>jest>jest-cli>@jest/core>jest-config>jest-environment-jsdom>jsdom>tough-cookie","react-scripts>jest>jest-cli>@jest/core>jest-config>jest-runner>jest-environment-jsdom>jsdom>tough-cookie"]}],"metadata":null,"vulnerable_versions":"<4.1.3","module_name":"tough-cookie","severity":"moderate","github_advisory_id":"GHSA-72xf-g2v4-qvf3","cves":["CVE-2023-26136"],"access":"public","patched_versions":">=4.1.3","cvss":{"score":6.5,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"},"updated":"2024-06-21T21:33:53.000Z","recommendation":"Upgrade to version 4.1.3 or later","cwe":["CWE-1321"],"found_by":null,"deleted":null,"id":1097682,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2023-26136\n- https://github.com/salesforce/tough-cookie/issues/282\n- https://github.com/salesforce/tough-cookie/commit/12d474791bb856004e858fdb1c47b7608d09cf6e\n- https://github.com/salesforce/tough-cookie/releases/tag/v4.1.3\n- https://security.snyk.io/vuln/SNYK-JS-TOUGHCOOKIE-5672873\n- https://lists.debian.org/debian-lts-announce/2023/07/msg00010.html\n- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3HUE6ZR5SL73KHL7XUPAOEL6SB7HUDT2\n- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6PVVPNSAGSDS63HQ74PJ7MZ3MU5IYNVZ\n- https://security.netapp.com/advisory/ntap-20240621-0006\n- https://github.com/advisories/GHSA-72xf-g2v4-qvf3","created":"2023-07-01T06:30:16.000Z","reported_by":null,"title":"tough-cookie Prototype Pollution vulnerability","npm_advisory_id":null,"overview":"Versions of the package tough-cookie before 4.1.3 are vulnerable to Prototype Pollution due to improper handling of Cookies when using CookieJar in `rejectPublicSuffixes=false` mode. This issue arises from the manner in which the objects are initialized.","url":"https://github.com/advisories/GHSA-72xf-g2v4-qvf3"}}} -{"type":"auditAdvisory","data":{"resolution":{"id":1098615,"path":"@testing-library/jest-dom>@types/testing-library__jest-dom>@types/jest>expect>jest-message-util>micromatch","dev":false,"bundled":false,"optional":false},"advisory":{"findings":[{"version":"4.0.5","paths":["@testing-library/jest-dom>@types/testing-library__jest-dom>@types/jest>expect>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>tailwindcss>fast-glob>micromatch","react-scripts>react-dev-utils>globby>fast-glob>micromatch","eslint-plugin-jest>@typescript-eslint/experimental-utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/parser>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest-resolve>jest-haste-map>micromatch","react-scripts>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>@jest/reporters>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>jest-config>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>jest-snapshot>@jest/transform>jest-haste-map>micromatch"]},{"version":"4.0.5","paths":["react-scripts>babel-jest>@jest/transform>micromatch","react-scripts>jest>@jest/core>@jest/transform>micromatch","react-scripts>jest>@jest/core>@jest/reporters>@jest/transform>micromatch","react-scripts>jest>@jest/core>jest-config>babel-jest>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>babel-jest>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>jest-snapshot>@jest/transform>micromatch"]},{"version":"4.0.5","paths":["react-scripts>eslint-webpack-plugin>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>jest-message-util>micromatch","react-scripts>jest>@jest/core>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/reporters>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/reporters>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/globals>@jest/environment>@jest/fake-timers>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>jest-config>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>micromatch","react-scripts>jest>jest-cli>@jest/core>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest-watch-typeahead>jest-watcher>@jest/test-result>@jest/console>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>tailwindcss>micromatch"]},{"version":"4.0.5","paths":["http-proxy-middleware>micromatch","react-scripts>webpack-dev-server>http-proxy-middleware>micromatch"]},{"version":"4.0.7","paths":["micromatch"]}],"metadata":null,"vulnerable_versions":"<=4.0.7","module_name":"micromatch","severity":"moderate","github_advisory_id":"GHSA-952p-6rrq-rcjv","cves":["CVE-2024-4067"],"access":"public","patched_versions":"<0.0.0","cvss":{"score":0,"vectorString":null},"updated":"2024-08-21T22:59:40.000Z","recommendation":"None","cwe":["CWE-1333"],"found_by":null,"deleted":null,"id":1098615,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2024-4067\n- https://github.com/micromatch/micromatch/issues/243\n- https://github.com/micromatch/micromatch/pull/247\n- https://devhub.checkmarx.com/cve-details/CVE-2024-4067\n- https://github.com/micromatch/micromatch/blob/2c56a8604b68c1099e7bc0f807ce0865a339747a/index.js#L448\n- https://github.com/micromatch/micromatch/commit/d1641baf261e42ea437f3750c44f20cec0b33e1b\n- https://github.com/advisories/GHSA-952p-6rrq-rcjv","created":"2024-05-14T18:30:54.000Z","reported_by":null,"title":"Regular Expression Denial of Service (ReDoS) in micromatch","npm_advisory_id":null,"overview":"The NPM package `micromatch` is vulnerable to Regular Expression Denial of Service (ReDoS). The vulnerability occurs in `micromatch.braces()` in `index.js` because the pattern `.*` will greedily match anything. By passing a malicious payload, the pattern matching will keep backtracking to the input while it doesn't find the closing bracket. As the input size increases, the consumption time will also increase until it causes the application to hang or slow down. There was a merged fix but further testing shows the issue persists. This issue should be mitigated by using a safe pattern that won't start backtracking the regular expression due to greedy matching.\n","url":"https://github.com/advisories/GHSA-952p-6rrq-rcjv"}}} -{"type":"auditAdvisory","data":{"resolution":{"id":1098615,"path":"react-scripts>tailwindcss>fast-glob>micromatch","dev":false,"bundled":false,"optional":false},"advisory":{"findings":[{"version":"4.0.5","paths":["@testing-library/jest-dom>@types/testing-library__jest-dom>@types/jest>expect>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>tailwindcss>fast-glob>micromatch","react-scripts>react-dev-utils>globby>fast-glob>micromatch","eslint-plugin-jest>@typescript-eslint/experimental-utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/parser>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest-resolve>jest-haste-map>micromatch","react-scripts>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>@jest/reporters>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>jest-config>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>jest-snapshot>@jest/transform>jest-haste-map>micromatch"]},{"version":"4.0.5","paths":["react-scripts>babel-jest>@jest/transform>micromatch","react-scripts>jest>@jest/core>@jest/transform>micromatch","react-scripts>jest>@jest/core>@jest/reporters>@jest/transform>micromatch","react-scripts>jest>@jest/core>jest-config>babel-jest>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>babel-jest>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>jest-snapshot>@jest/transform>micromatch"]},{"version":"4.0.5","paths":["react-scripts>eslint-webpack-plugin>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>jest-message-util>micromatch","react-scripts>jest>@jest/core>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/reporters>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/reporters>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/globals>@jest/environment>@jest/fake-timers>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>jest-config>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>micromatch","react-scripts>jest>jest-cli>@jest/core>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest-watch-typeahead>jest-watcher>@jest/test-result>@jest/console>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>tailwindcss>micromatch"]},{"version":"4.0.5","paths":["http-proxy-middleware>micromatch","react-scripts>webpack-dev-server>http-proxy-middleware>micromatch"]},{"version":"4.0.7","paths":["micromatch"]}],"metadata":null,"vulnerable_versions":"<=4.0.7","module_name":"micromatch","severity":"moderate","github_advisory_id":"GHSA-952p-6rrq-rcjv","cves":["CVE-2024-4067"],"access":"public","patched_versions":"<0.0.0","cvss":{"score":0,"vectorString":null},"updated":"2024-08-21T22:59:40.000Z","recommendation":"None","cwe":["CWE-1333"],"found_by":null,"deleted":null,"id":1098615,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2024-4067\n- https://github.com/micromatch/micromatch/issues/243\n- https://github.com/micromatch/micromatch/pull/247\n- https://devhub.checkmarx.com/cve-details/CVE-2024-4067\n- https://github.com/micromatch/micromatch/blob/2c56a8604b68c1099e7bc0f807ce0865a339747a/index.js#L448\n- https://github.com/micromatch/micromatch/commit/d1641baf261e42ea437f3750c44f20cec0b33e1b\n- https://github.com/advisories/GHSA-952p-6rrq-rcjv","created":"2024-05-14T18:30:54.000Z","reported_by":null,"title":"Regular Expression Denial of Service (ReDoS) in micromatch","npm_advisory_id":null,"overview":"The NPM package `micromatch` is vulnerable to Regular Expression Denial of Service (ReDoS). The vulnerability occurs in `micromatch.braces()` in `index.js` because the pattern `.*` will greedily match anything. By passing a malicious payload, the pattern matching will keep backtracking to the input while it doesn't find the closing bracket. As the input size increases, the consumption time will also increase until it causes the application to hang or slow down. There was a merged fix but further testing shows the issue persists. This issue should be mitigated by using a safe pattern that won't start backtracking the regular expression due to greedy matching.\n","url":"https://github.com/advisories/GHSA-952p-6rrq-rcjv"}}} -{"type":"auditAdvisory","data":{"resolution":{"id":1098615,"path":"react-scripts>react-dev-utils>globby>fast-glob>micromatch","dev":false,"bundled":false,"optional":false},"advisory":{"findings":[{"version":"4.0.5","paths":["@testing-library/jest-dom>@types/testing-library__jest-dom>@types/jest>expect>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>tailwindcss>fast-glob>micromatch","react-scripts>react-dev-utils>globby>fast-glob>micromatch","eslint-plugin-jest>@typescript-eslint/experimental-utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/parser>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest-resolve>jest-haste-map>micromatch","react-scripts>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>@jest/reporters>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>jest-config>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>jest-snapshot>@jest/transform>jest-haste-map>micromatch"]},{"version":"4.0.5","paths":["react-scripts>babel-jest>@jest/transform>micromatch","react-scripts>jest>@jest/core>@jest/transform>micromatch","react-scripts>jest>@jest/core>@jest/reporters>@jest/transform>micromatch","react-scripts>jest>@jest/core>jest-config>babel-jest>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>babel-jest>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>jest-snapshot>@jest/transform>micromatch"]},{"version":"4.0.5","paths":["react-scripts>eslint-webpack-plugin>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>jest-message-util>micromatch","react-scripts>jest>@jest/core>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/reporters>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/reporters>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/globals>@jest/environment>@jest/fake-timers>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>jest-config>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>micromatch","react-scripts>jest>jest-cli>@jest/core>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest-watch-typeahead>jest-watcher>@jest/test-result>@jest/console>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>tailwindcss>micromatch"]},{"version":"4.0.5","paths":["http-proxy-middleware>micromatch","react-scripts>webpack-dev-server>http-proxy-middleware>micromatch"]},{"version":"4.0.7","paths":["micromatch"]}],"metadata":null,"vulnerable_versions":"<=4.0.7","module_name":"micromatch","severity":"moderate","github_advisory_id":"GHSA-952p-6rrq-rcjv","cves":["CVE-2024-4067"],"access":"public","patched_versions":"<0.0.0","cvss":{"score":0,"vectorString":null},"updated":"2024-08-21T22:59:40.000Z","recommendation":"None","cwe":["CWE-1333"],"found_by":null,"deleted":null,"id":1098615,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2024-4067\n- https://github.com/micromatch/micromatch/issues/243\n- https://github.com/micromatch/micromatch/pull/247\n- https://devhub.checkmarx.com/cve-details/CVE-2024-4067\n- https://github.com/micromatch/micromatch/blob/2c56a8604b68c1099e7bc0f807ce0865a339747a/index.js#L448\n- https://github.com/micromatch/micromatch/commit/d1641baf261e42ea437f3750c44f20cec0b33e1b\n- https://github.com/advisories/GHSA-952p-6rrq-rcjv","created":"2024-05-14T18:30:54.000Z","reported_by":null,"title":"Regular Expression Denial of Service (ReDoS) in micromatch","npm_advisory_id":null,"overview":"The NPM package `micromatch` is vulnerable to Regular Expression Denial of Service (ReDoS). The vulnerability occurs in `micromatch.braces()` in `index.js` because the pattern `.*` will greedily match anything. By passing a malicious payload, the pattern matching will keep backtracking to the input while it doesn't find the closing bracket. As the input size increases, the consumption time will also increase until it causes the application to hang or slow down. There was a merged fix but further testing shows the issue persists. This issue should be mitigated by using a safe pattern that won't start backtracking the regular expression due to greedy matching.\n","url":"https://github.com/advisories/GHSA-952p-6rrq-rcjv"}}} -{"type":"auditAdvisory","data":{"resolution":{"id":1098615,"path":"eslint-plugin-jest>@typescript-eslint/experimental-utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","dev":false,"bundled":false,"optional":false},"advisory":{"findings":[{"version":"4.0.5","paths":["@testing-library/jest-dom>@types/testing-library__jest-dom>@types/jest>expect>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>tailwindcss>fast-glob>micromatch","react-scripts>react-dev-utils>globby>fast-glob>micromatch","eslint-plugin-jest>@typescript-eslint/experimental-utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/parser>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest-resolve>jest-haste-map>micromatch","react-scripts>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>@jest/reporters>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>jest-config>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>jest-snapshot>@jest/transform>jest-haste-map>micromatch"]},{"version":"4.0.5","paths":["react-scripts>babel-jest>@jest/transform>micromatch","react-scripts>jest>@jest/core>@jest/transform>micromatch","react-scripts>jest>@jest/core>@jest/reporters>@jest/transform>micromatch","react-scripts>jest>@jest/core>jest-config>babel-jest>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>babel-jest>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>jest-snapshot>@jest/transform>micromatch"]},{"version":"4.0.5","paths":["react-scripts>eslint-webpack-plugin>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>jest-message-util>micromatch","react-scripts>jest>@jest/core>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/reporters>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/reporters>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/globals>@jest/environment>@jest/fake-timers>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>jest-config>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>micromatch","react-scripts>jest>jest-cli>@jest/core>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest-watch-typeahead>jest-watcher>@jest/test-result>@jest/console>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>tailwindcss>micromatch"]},{"version":"4.0.5","paths":["http-proxy-middleware>micromatch","react-scripts>webpack-dev-server>http-proxy-middleware>micromatch"]},{"version":"4.0.7","paths":["micromatch"]}],"metadata":null,"vulnerable_versions":"<=4.0.7","module_name":"micromatch","severity":"moderate","github_advisory_id":"GHSA-952p-6rrq-rcjv","cves":["CVE-2024-4067"],"access":"public","patched_versions":"<0.0.0","cvss":{"score":0,"vectorString":null},"updated":"2024-08-21T22:59:40.000Z","recommendation":"None","cwe":["CWE-1333"],"found_by":null,"deleted":null,"id":1098615,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2024-4067\n- https://github.com/micromatch/micromatch/issues/243\n- https://github.com/micromatch/micromatch/pull/247\n- https://devhub.checkmarx.com/cve-details/CVE-2024-4067\n- https://github.com/micromatch/micromatch/blob/2c56a8604b68c1099e7bc0f807ce0865a339747a/index.js#L448\n- https://github.com/micromatch/micromatch/commit/d1641baf261e42ea437f3750c44f20cec0b33e1b\n- https://github.com/advisories/GHSA-952p-6rrq-rcjv","created":"2024-05-14T18:30:54.000Z","reported_by":null,"title":"Regular Expression Denial of Service (ReDoS) in micromatch","npm_advisory_id":null,"overview":"The NPM package `micromatch` is vulnerable to Regular Expression Denial of Service (ReDoS). The vulnerability occurs in `micromatch.braces()` in `index.js` because the pattern `.*` will greedily match anything. By passing a malicious payload, the pattern matching will keep backtracking to the input while it doesn't find the closing bracket. As the input size increases, the consumption time will also increase until it causes the application to hang or slow down. There was a merged fix but further testing shows the issue persists. This issue should be mitigated by using a safe pattern that won't start backtracking the regular expression due to greedy matching.\n","url":"https://github.com/advisories/GHSA-952p-6rrq-rcjv"}}} -{"type":"auditAdvisory","data":{"resolution":{"id":1098615,"path":"react-scripts>eslint-config-react-app>@typescript-eslint/parser>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","dev":false,"bundled":false,"optional":false},"advisory":{"findings":[{"version":"4.0.5","paths":["@testing-library/jest-dom>@types/testing-library__jest-dom>@types/jest>expect>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>tailwindcss>fast-glob>micromatch","react-scripts>react-dev-utils>globby>fast-glob>micromatch","eslint-plugin-jest>@typescript-eslint/experimental-utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/parser>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest-resolve>jest-haste-map>micromatch","react-scripts>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>@jest/reporters>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>jest-config>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>jest-snapshot>@jest/transform>jest-haste-map>micromatch"]},{"version":"4.0.5","paths":["react-scripts>babel-jest>@jest/transform>micromatch","react-scripts>jest>@jest/core>@jest/transform>micromatch","react-scripts>jest>@jest/core>@jest/reporters>@jest/transform>micromatch","react-scripts>jest>@jest/core>jest-config>babel-jest>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>babel-jest>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>jest-snapshot>@jest/transform>micromatch"]},{"version":"4.0.5","paths":["react-scripts>eslint-webpack-plugin>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>jest-message-util>micromatch","react-scripts>jest>@jest/core>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/reporters>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/reporters>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/globals>@jest/environment>@jest/fake-timers>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>jest-config>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>micromatch","react-scripts>jest>jest-cli>@jest/core>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest-watch-typeahead>jest-watcher>@jest/test-result>@jest/console>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>tailwindcss>micromatch"]},{"version":"4.0.5","paths":["http-proxy-middleware>micromatch","react-scripts>webpack-dev-server>http-proxy-middleware>micromatch"]},{"version":"4.0.7","paths":["micromatch"]}],"metadata":null,"vulnerable_versions":"<=4.0.7","module_name":"micromatch","severity":"moderate","github_advisory_id":"GHSA-952p-6rrq-rcjv","cves":["CVE-2024-4067"],"access":"public","patched_versions":"<0.0.0","cvss":{"score":0,"vectorString":null},"updated":"2024-08-21T22:59:40.000Z","recommendation":"None","cwe":["CWE-1333"],"found_by":null,"deleted":null,"id":1098615,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2024-4067\n- https://github.com/micromatch/micromatch/issues/243\n- https://github.com/micromatch/micromatch/pull/247\n- https://devhub.checkmarx.com/cve-details/CVE-2024-4067\n- https://github.com/micromatch/micromatch/blob/2c56a8604b68c1099e7bc0f807ce0865a339747a/index.js#L448\n- https://github.com/micromatch/micromatch/commit/d1641baf261e42ea437f3750c44f20cec0b33e1b\n- https://github.com/advisories/GHSA-952p-6rrq-rcjv","created":"2024-05-14T18:30:54.000Z","reported_by":null,"title":"Regular Expression Denial of Service (ReDoS) in micromatch","npm_advisory_id":null,"overview":"The NPM package `micromatch` is vulnerable to Regular Expression Denial of Service (ReDoS). The vulnerability occurs in `micromatch.braces()` in `index.js` because the pattern `.*` will greedily match anything. By passing a malicious payload, the pattern matching will keep backtracking to the input while it doesn't find the closing bracket. As the input size increases, the consumption time will also increase until it causes the application to hang or slow down. There was a merged fix but further testing shows the issue persists. This issue should be mitigated by using a safe pattern that won't start backtracking the regular expression due to greedy matching.\n","url":"https://github.com/advisories/GHSA-952p-6rrq-rcjv"}}} -{"type":"auditAdvisory","data":{"resolution":{"id":1098615,"path":"react-scripts>eslint-config-react-app>@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","dev":false,"bundled":false,"optional":false},"advisory":{"findings":[{"version":"4.0.5","paths":["@testing-library/jest-dom>@types/testing-library__jest-dom>@types/jest>expect>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>tailwindcss>fast-glob>micromatch","react-scripts>react-dev-utils>globby>fast-glob>micromatch","eslint-plugin-jest>@typescript-eslint/experimental-utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/parser>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest-resolve>jest-haste-map>micromatch","react-scripts>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>@jest/reporters>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>jest-config>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>jest-snapshot>@jest/transform>jest-haste-map>micromatch"]},{"version":"4.0.5","paths":["react-scripts>babel-jest>@jest/transform>micromatch","react-scripts>jest>@jest/core>@jest/transform>micromatch","react-scripts>jest>@jest/core>@jest/reporters>@jest/transform>micromatch","react-scripts>jest>@jest/core>jest-config>babel-jest>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>babel-jest>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>jest-snapshot>@jest/transform>micromatch"]},{"version":"4.0.5","paths":["react-scripts>eslint-webpack-plugin>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>jest-message-util>micromatch","react-scripts>jest>@jest/core>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/reporters>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/reporters>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/globals>@jest/environment>@jest/fake-timers>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>jest-config>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>micromatch","react-scripts>jest>jest-cli>@jest/core>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest-watch-typeahead>jest-watcher>@jest/test-result>@jest/console>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>tailwindcss>micromatch"]},{"version":"4.0.5","paths":["http-proxy-middleware>micromatch","react-scripts>webpack-dev-server>http-proxy-middleware>micromatch"]},{"version":"4.0.7","paths":["micromatch"]}],"metadata":null,"vulnerable_versions":"<=4.0.7","module_name":"micromatch","severity":"moderate","github_advisory_id":"GHSA-952p-6rrq-rcjv","cves":["CVE-2024-4067"],"access":"public","patched_versions":"<0.0.0","cvss":{"score":0,"vectorString":null},"updated":"2024-08-21T22:59:40.000Z","recommendation":"None","cwe":["CWE-1333"],"found_by":null,"deleted":null,"id":1098615,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2024-4067\n- https://github.com/micromatch/micromatch/issues/243\n- https://github.com/micromatch/micromatch/pull/247\n- https://devhub.checkmarx.com/cve-details/CVE-2024-4067\n- https://github.com/micromatch/micromatch/blob/2c56a8604b68c1099e7bc0f807ce0865a339747a/index.js#L448\n- https://github.com/micromatch/micromatch/commit/d1641baf261e42ea437f3750c44f20cec0b33e1b\n- https://github.com/advisories/GHSA-952p-6rrq-rcjv","created":"2024-05-14T18:30:54.000Z","reported_by":null,"title":"Regular Expression Denial of Service (ReDoS) in micromatch","npm_advisory_id":null,"overview":"The NPM package `micromatch` is vulnerable to Regular Expression Denial of Service (ReDoS). The vulnerability occurs in `micromatch.braces()` in `index.js` because the pattern `.*` will greedily match anything. By passing a malicious payload, the pattern matching will keep backtracking to the input while it doesn't find the closing bracket. As the input size increases, the consumption time will also increase until it causes the application to hang or slow down. There was a merged fix but further testing shows the issue persists. This issue should be mitigated by using a safe pattern that won't start backtracking the regular expression due to greedy matching.\n","url":"https://github.com/advisories/GHSA-952p-6rrq-rcjv"}}} -{"type":"auditAdvisory","data":{"resolution":{"id":1098615,"path":"react-scripts>eslint-config-react-app>@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","dev":false,"bundled":false,"optional":false},"advisory":{"findings":[{"version":"4.0.5","paths":["@testing-library/jest-dom>@types/testing-library__jest-dom>@types/jest>expect>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>tailwindcss>fast-glob>micromatch","react-scripts>react-dev-utils>globby>fast-glob>micromatch","eslint-plugin-jest>@typescript-eslint/experimental-utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/parser>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest-resolve>jest-haste-map>micromatch","react-scripts>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>@jest/reporters>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>jest-config>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>jest-snapshot>@jest/transform>jest-haste-map>micromatch"]},{"version":"4.0.5","paths":["react-scripts>babel-jest>@jest/transform>micromatch","react-scripts>jest>@jest/core>@jest/transform>micromatch","react-scripts>jest>@jest/core>@jest/reporters>@jest/transform>micromatch","react-scripts>jest>@jest/core>jest-config>babel-jest>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>babel-jest>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>jest-snapshot>@jest/transform>micromatch"]},{"version":"4.0.5","paths":["react-scripts>eslint-webpack-plugin>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>jest-message-util>micromatch","react-scripts>jest>@jest/core>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/reporters>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/reporters>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/globals>@jest/environment>@jest/fake-timers>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>jest-config>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>micromatch","react-scripts>jest>jest-cli>@jest/core>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest-watch-typeahead>jest-watcher>@jest/test-result>@jest/console>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>tailwindcss>micromatch"]},{"version":"4.0.5","paths":["http-proxy-middleware>micromatch","react-scripts>webpack-dev-server>http-proxy-middleware>micromatch"]},{"version":"4.0.7","paths":["micromatch"]}],"metadata":null,"vulnerable_versions":"<=4.0.7","module_name":"micromatch","severity":"moderate","github_advisory_id":"GHSA-952p-6rrq-rcjv","cves":["CVE-2024-4067"],"access":"public","patched_versions":"<0.0.0","cvss":{"score":0,"vectorString":null},"updated":"2024-08-21T22:59:40.000Z","recommendation":"None","cwe":["CWE-1333"],"found_by":null,"deleted":null,"id":1098615,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2024-4067\n- https://github.com/micromatch/micromatch/issues/243\n- https://github.com/micromatch/micromatch/pull/247\n- https://devhub.checkmarx.com/cve-details/CVE-2024-4067\n- https://github.com/micromatch/micromatch/blob/2c56a8604b68c1099e7bc0f807ce0865a339747a/index.js#L448\n- https://github.com/micromatch/micromatch/commit/d1641baf261e42ea437f3750c44f20cec0b33e1b\n- https://github.com/advisories/GHSA-952p-6rrq-rcjv","created":"2024-05-14T18:30:54.000Z","reported_by":null,"title":"Regular Expression Denial of Service (ReDoS) in micromatch","npm_advisory_id":null,"overview":"The NPM package `micromatch` is vulnerable to Regular Expression Denial of Service (ReDoS). The vulnerability occurs in `micromatch.braces()` in `index.js` because the pattern `.*` will greedily match anything. By passing a malicious payload, the pattern matching will keep backtracking to the input while it doesn't find the closing bracket. As the input size increases, the consumption time will also increase until it causes the application to hang or slow down. There was a merged fix but further testing shows the issue persists. This issue should be mitigated by using a safe pattern that won't start backtracking the regular expression due to greedy matching.\n","url":"https://github.com/advisories/GHSA-952p-6rrq-rcjv"}}} -{"type":"auditAdvisory","data":{"resolution":{"id":1098615,"path":"react-scripts>jest-resolve>jest-haste-map>micromatch","dev":false,"bundled":false,"optional":false},"advisory":{"findings":[{"version":"4.0.5","paths":["@testing-library/jest-dom>@types/testing-library__jest-dom>@types/jest>expect>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>tailwindcss>fast-glob>micromatch","react-scripts>react-dev-utils>globby>fast-glob>micromatch","eslint-plugin-jest>@typescript-eslint/experimental-utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/parser>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest-resolve>jest-haste-map>micromatch","react-scripts>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>@jest/reporters>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>jest-config>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>jest-snapshot>@jest/transform>jest-haste-map>micromatch"]},{"version":"4.0.5","paths":["react-scripts>babel-jest>@jest/transform>micromatch","react-scripts>jest>@jest/core>@jest/transform>micromatch","react-scripts>jest>@jest/core>@jest/reporters>@jest/transform>micromatch","react-scripts>jest>@jest/core>jest-config>babel-jest>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>babel-jest>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>jest-snapshot>@jest/transform>micromatch"]},{"version":"4.0.5","paths":["react-scripts>eslint-webpack-plugin>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>jest-message-util>micromatch","react-scripts>jest>@jest/core>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/reporters>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/reporters>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/globals>@jest/environment>@jest/fake-timers>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>jest-config>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>micromatch","react-scripts>jest>jest-cli>@jest/core>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest-watch-typeahead>jest-watcher>@jest/test-result>@jest/console>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>tailwindcss>micromatch"]},{"version":"4.0.5","paths":["http-proxy-middleware>micromatch","react-scripts>webpack-dev-server>http-proxy-middleware>micromatch"]},{"version":"4.0.7","paths":["micromatch"]}],"metadata":null,"vulnerable_versions":"<=4.0.7","module_name":"micromatch","severity":"moderate","github_advisory_id":"GHSA-952p-6rrq-rcjv","cves":["CVE-2024-4067"],"access":"public","patched_versions":"<0.0.0","cvss":{"score":0,"vectorString":null},"updated":"2024-08-21T22:59:40.000Z","recommendation":"None","cwe":["CWE-1333"],"found_by":null,"deleted":null,"id":1098615,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2024-4067\n- https://github.com/micromatch/micromatch/issues/243\n- https://github.com/micromatch/micromatch/pull/247\n- https://devhub.checkmarx.com/cve-details/CVE-2024-4067\n- https://github.com/micromatch/micromatch/blob/2c56a8604b68c1099e7bc0f807ce0865a339747a/index.js#L448\n- https://github.com/micromatch/micromatch/commit/d1641baf261e42ea437f3750c44f20cec0b33e1b\n- https://github.com/advisories/GHSA-952p-6rrq-rcjv","created":"2024-05-14T18:30:54.000Z","reported_by":null,"title":"Regular Expression Denial of Service (ReDoS) in micromatch","npm_advisory_id":null,"overview":"The NPM package `micromatch` is vulnerable to Regular Expression Denial of Service (ReDoS). The vulnerability occurs in `micromatch.braces()` in `index.js` because the pattern `.*` will greedily match anything. By passing a malicious payload, the pattern matching will keep backtracking to the input while it doesn't find the closing bracket. As the input size increases, the consumption time will also increase until it causes the application to hang or slow down. There was a merged fix but further testing shows the issue persists. This issue should be mitigated by using a safe pattern that won't start backtracking the regular expression due to greedy matching.\n","url":"https://github.com/advisories/GHSA-952p-6rrq-rcjv"}}} -{"type":"auditAdvisory","data":{"resolution":{"id":1098615,"path":"react-scripts>babel-jest>@jest/transform>jest-haste-map>micromatch","dev":false,"bundled":false,"optional":false},"advisory":{"findings":[{"version":"4.0.5","paths":["@testing-library/jest-dom>@types/testing-library__jest-dom>@types/jest>expect>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>tailwindcss>fast-glob>micromatch","react-scripts>react-dev-utils>globby>fast-glob>micromatch","eslint-plugin-jest>@typescript-eslint/experimental-utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/parser>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest-resolve>jest-haste-map>micromatch","react-scripts>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>@jest/reporters>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>jest-config>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>jest-snapshot>@jest/transform>jest-haste-map>micromatch"]},{"version":"4.0.5","paths":["react-scripts>babel-jest>@jest/transform>micromatch","react-scripts>jest>@jest/core>@jest/transform>micromatch","react-scripts>jest>@jest/core>@jest/reporters>@jest/transform>micromatch","react-scripts>jest>@jest/core>jest-config>babel-jest>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>babel-jest>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>jest-snapshot>@jest/transform>micromatch"]},{"version":"4.0.5","paths":["react-scripts>eslint-webpack-plugin>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>jest-message-util>micromatch","react-scripts>jest>@jest/core>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/reporters>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/reporters>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/globals>@jest/environment>@jest/fake-timers>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>jest-config>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>micromatch","react-scripts>jest>jest-cli>@jest/core>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest-watch-typeahead>jest-watcher>@jest/test-result>@jest/console>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>tailwindcss>micromatch"]},{"version":"4.0.5","paths":["http-proxy-middleware>micromatch","react-scripts>webpack-dev-server>http-proxy-middleware>micromatch"]},{"version":"4.0.7","paths":["micromatch"]}],"metadata":null,"vulnerable_versions":"<=4.0.7","module_name":"micromatch","severity":"moderate","github_advisory_id":"GHSA-952p-6rrq-rcjv","cves":["CVE-2024-4067"],"access":"public","patched_versions":"<0.0.0","cvss":{"score":0,"vectorString":null},"updated":"2024-08-21T22:59:40.000Z","recommendation":"None","cwe":["CWE-1333"],"found_by":null,"deleted":null,"id":1098615,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2024-4067\n- https://github.com/micromatch/micromatch/issues/243\n- https://github.com/micromatch/micromatch/pull/247\n- https://devhub.checkmarx.com/cve-details/CVE-2024-4067\n- https://github.com/micromatch/micromatch/blob/2c56a8604b68c1099e7bc0f807ce0865a339747a/index.js#L448\n- https://github.com/micromatch/micromatch/commit/d1641baf261e42ea437f3750c44f20cec0b33e1b\n- https://github.com/advisories/GHSA-952p-6rrq-rcjv","created":"2024-05-14T18:30:54.000Z","reported_by":null,"title":"Regular Expression Denial of Service (ReDoS) in micromatch","npm_advisory_id":null,"overview":"The NPM package `micromatch` is vulnerable to Regular Expression Denial of Service (ReDoS). The vulnerability occurs in `micromatch.braces()` in `index.js` because the pattern `.*` will greedily match anything. By passing a malicious payload, the pattern matching will keep backtracking to the input while it doesn't find the closing bracket. As the input size increases, the consumption time will also increase until it causes the application to hang or slow down. There was a merged fix but further testing shows the issue persists. This issue should be mitigated by using a safe pattern that won't start backtracking the regular expression due to greedy matching.\n","url":"https://github.com/advisories/GHSA-952p-6rrq-rcjv"}}} -{"type":"auditAdvisory","data":{"resolution":{"id":1098615,"path":"react-scripts>jest>@jest/core>@jest/transform>jest-haste-map>micromatch","dev":false,"bundled":false,"optional":false},"advisory":{"findings":[{"version":"4.0.5","paths":["@testing-library/jest-dom>@types/testing-library__jest-dom>@types/jest>expect>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>tailwindcss>fast-glob>micromatch","react-scripts>react-dev-utils>globby>fast-glob>micromatch","eslint-plugin-jest>@typescript-eslint/experimental-utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/parser>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest-resolve>jest-haste-map>micromatch","react-scripts>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>@jest/reporters>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>jest-config>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>jest-snapshot>@jest/transform>jest-haste-map>micromatch"]},{"version":"4.0.5","paths":["react-scripts>babel-jest>@jest/transform>micromatch","react-scripts>jest>@jest/core>@jest/transform>micromatch","react-scripts>jest>@jest/core>@jest/reporters>@jest/transform>micromatch","react-scripts>jest>@jest/core>jest-config>babel-jest>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>babel-jest>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>jest-snapshot>@jest/transform>micromatch"]},{"version":"4.0.5","paths":["react-scripts>eslint-webpack-plugin>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>jest-message-util>micromatch","react-scripts>jest>@jest/core>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/reporters>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/reporters>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/globals>@jest/environment>@jest/fake-timers>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>jest-config>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>micromatch","react-scripts>jest>jest-cli>@jest/core>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest-watch-typeahead>jest-watcher>@jest/test-result>@jest/console>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>tailwindcss>micromatch"]},{"version":"4.0.5","paths":["http-proxy-middleware>micromatch","react-scripts>webpack-dev-server>http-proxy-middleware>micromatch"]},{"version":"4.0.7","paths":["micromatch"]}],"metadata":null,"vulnerable_versions":"<=4.0.7","module_name":"micromatch","severity":"moderate","github_advisory_id":"GHSA-952p-6rrq-rcjv","cves":["CVE-2024-4067"],"access":"public","patched_versions":"<0.0.0","cvss":{"score":0,"vectorString":null},"updated":"2024-08-21T22:59:40.000Z","recommendation":"None","cwe":["CWE-1333"],"found_by":null,"deleted":null,"id":1098615,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2024-4067\n- https://github.com/micromatch/micromatch/issues/243\n- https://github.com/micromatch/micromatch/pull/247\n- https://devhub.checkmarx.com/cve-details/CVE-2024-4067\n- https://github.com/micromatch/micromatch/blob/2c56a8604b68c1099e7bc0f807ce0865a339747a/index.js#L448\n- https://github.com/micromatch/micromatch/commit/d1641baf261e42ea437f3750c44f20cec0b33e1b\n- https://github.com/advisories/GHSA-952p-6rrq-rcjv","created":"2024-05-14T18:30:54.000Z","reported_by":null,"title":"Regular Expression Denial of Service (ReDoS) in micromatch","npm_advisory_id":null,"overview":"The NPM package `micromatch` is vulnerable to Regular Expression Denial of Service (ReDoS). The vulnerability occurs in `micromatch.braces()` in `index.js` because the pattern `.*` will greedily match anything. By passing a malicious payload, the pattern matching will keep backtracking to the input while it doesn't find the closing bracket. As the input size increases, the consumption time will also increase until it causes the application to hang or slow down. There was a merged fix but further testing shows the issue persists. This issue should be mitigated by using a safe pattern that won't start backtracking the regular expression due to greedy matching.\n","url":"https://github.com/advisories/GHSA-952p-6rrq-rcjv"}}} -{"type":"auditAdvisory","data":{"resolution":{"id":1098615,"path":"react-scripts>jest>@jest/core>@jest/reporters>@jest/transform>jest-haste-map>micromatch","dev":false,"bundled":false,"optional":false},"advisory":{"findings":[{"version":"4.0.5","paths":["@testing-library/jest-dom>@types/testing-library__jest-dom>@types/jest>expect>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>tailwindcss>fast-glob>micromatch","react-scripts>react-dev-utils>globby>fast-glob>micromatch","eslint-plugin-jest>@typescript-eslint/experimental-utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/parser>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest-resolve>jest-haste-map>micromatch","react-scripts>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>@jest/reporters>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>jest-config>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>jest-snapshot>@jest/transform>jest-haste-map>micromatch"]},{"version":"4.0.5","paths":["react-scripts>babel-jest>@jest/transform>micromatch","react-scripts>jest>@jest/core>@jest/transform>micromatch","react-scripts>jest>@jest/core>@jest/reporters>@jest/transform>micromatch","react-scripts>jest>@jest/core>jest-config>babel-jest>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>babel-jest>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>jest-snapshot>@jest/transform>micromatch"]},{"version":"4.0.5","paths":["react-scripts>eslint-webpack-plugin>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>jest-message-util>micromatch","react-scripts>jest>@jest/core>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/reporters>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/reporters>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/globals>@jest/environment>@jest/fake-timers>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>jest-config>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>micromatch","react-scripts>jest>jest-cli>@jest/core>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest-watch-typeahead>jest-watcher>@jest/test-result>@jest/console>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>tailwindcss>micromatch"]},{"version":"4.0.5","paths":["http-proxy-middleware>micromatch","react-scripts>webpack-dev-server>http-proxy-middleware>micromatch"]},{"version":"4.0.7","paths":["micromatch"]}],"metadata":null,"vulnerable_versions":"<=4.0.7","module_name":"micromatch","severity":"moderate","github_advisory_id":"GHSA-952p-6rrq-rcjv","cves":["CVE-2024-4067"],"access":"public","patched_versions":"<0.0.0","cvss":{"score":0,"vectorString":null},"updated":"2024-08-21T22:59:40.000Z","recommendation":"None","cwe":["CWE-1333"],"found_by":null,"deleted":null,"id":1098615,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2024-4067\n- https://github.com/micromatch/micromatch/issues/243\n- https://github.com/micromatch/micromatch/pull/247\n- https://devhub.checkmarx.com/cve-details/CVE-2024-4067\n- https://github.com/micromatch/micromatch/blob/2c56a8604b68c1099e7bc0f807ce0865a339747a/index.js#L448\n- https://github.com/micromatch/micromatch/commit/d1641baf261e42ea437f3750c44f20cec0b33e1b\n- https://github.com/advisories/GHSA-952p-6rrq-rcjv","created":"2024-05-14T18:30:54.000Z","reported_by":null,"title":"Regular Expression Denial of Service (ReDoS) in micromatch","npm_advisory_id":null,"overview":"The NPM package `micromatch` is vulnerable to Regular Expression Denial of Service (ReDoS). The vulnerability occurs in `micromatch.braces()` in `index.js` because the pattern `.*` will greedily match anything. By passing a malicious payload, the pattern matching will keep backtracking to the input while it doesn't find the closing bracket. As the input size increases, the consumption time will also increase until it causes the application to hang or slow down. There was a merged fix but further testing shows the issue persists. This issue should be mitigated by using a safe pattern that won't start backtracking the regular expression due to greedy matching.\n","url":"https://github.com/advisories/GHSA-952p-6rrq-rcjv"}}} -{"type":"auditAdvisory","data":{"resolution":{"id":1098615,"path":"react-scripts>jest>@jest/core>jest-config>babel-jest>@jest/transform>jest-haste-map>micromatch","dev":false,"bundled":false,"optional":false},"advisory":{"findings":[{"version":"4.0.5","paths":["@testing-library/jest-dom>@types/testing-library__jest-dom>@types/jest>expect>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>tailwindcss>fast-glob>micromatch","react-scripts>react-dev-utils>globby>fast-glob>micromatch","eslint-plugin-jest>@typescript-eslint/experimental-utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/parser>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest-resolve>jest-haste-map>micromatch","react-scripts>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>@jest/reporters>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>jest-config>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>jest-snapshot>@jest/transform>jest-haste-map>micromatch"]},{"version":"4.0.5","paths":["react-scripts>babel-jest>@jest/transform>micromatch","react-scripts>jest>@jest/core>@jest/transform>micromatch","react-scripts>jest>@jest/core>@jest/reporters>@jest/transform>micromatch","react-scripts>jest>@jest/core>jest-config>babel-jest>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>babel-jest>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>jest-snapshot>@jest/transform>micromatch"]},{"version":"4.0.5","paths":["react-scripts>eslint-webpack-plugin>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>jest-message-util>micromatch","react-scripts>jest>@jest/core>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/reporters>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/reporters>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/globals>@jest/environment>@jest/fake-timers>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>jest-config>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>micromatch","react-scripts>jest>jest-cli>@jest/core>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest-watch-typeahead>jest-watcher>@jest/test-result>@jest/console>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>tailwindcss>micromatch"]},{"version":"4.0.5","paths":["http-proxy-middleware>micromatch","react-scripts>webpack-dev-server>http-proxy-middleware>micromatch"]},{"version":"4.0.7","paths":["micromatch"]}],"metadata":null,"vulnerable_versions":"<=4.0.7","module_name":"micromatch","severity":"moderate","github_advisory_id":"GHSA-952p-6rrq-rcjv","cves":["CVE-2024-4067"],"access":"public","patched_versions":"<0.0.0","cvss":{"score":0,"vectorString":null},"updated":"2024-08-21T22:59:40.000Z","recommendation":"None","cwe":["CWE-1333"],"found_by":null,"deleted":null,"id":1098615,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2024-4067\n- https://github.com/micromatch/micromatch/issues/243\n- https://github.com/micromatch/micromatch/pull/247\n- https://devhub.checkmarx.com/cve-details/CVE-2024-4067\n- https://github.com/micromatch/micromatch/blob/2c56a8604b68c1099e7bc0f807ce0865a339747a/index.js#L448\n- https://github.com/micromatch/micromatch/commit/d1641baf261e42ea437f3750c44f20cec0b33e1b\n- https://github.com/advisories/GHSA-952p-6rrq-rcjv","created":"2024-05-14T18:30:54.000Z","reported_by":null,"title":"Regular Expression Denial of Service (ReDoS) in micromatch","npm_advisory_id":null,"overview":"The NPM package `micromatch` is vulnerable to Regular Expression Denial of Service (ReDoS). The vulnerability occurs in `micromatch.braces()` in `index.js` because the pattern `.*` will greedily match anything. By passing a malicious payload, the pattern matching will keep backtracking to the input while it doesn't find the closing bracket. As the input size increases, the consumption time will also increase until it causes the application to hang or slow down. There was a merged fix but further testing shows the issue persists. This issue should be mitigated by using a safe pattern that won't start backtracking the regular expression due to greedy matching.\n","url":"https://github.com/advisories/GHSA-952p-6rrq-rcjv"}}} -{"type":"auditAdvisory","data":{"resolution":{"id":1098615,"path":"react-scripts>jest>jest-cli>@jest/core>jest-config>babel-jest>@jest/transform>jest-haste-map>micromatch","dev":false,"bundled":false,"optional":false},"advisory":{"findings":[{"version":"4.0.5","paths":["@testing-library/jest-dom>@types/testing-library__jest-dom>@types/jest>expect>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>tailwindcss>fast-glob>micromatch","react-scripts>react-dev-utils>globby>fast-glob>micromatch","eslint-plugin-jest>@typescript-eslint/experimental-utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/parser>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest-resolve>jest-haste-map>micromatch","react-scripts>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>@jest/reporters>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>jest-config>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>jest-snapshot>@jest/transform>jest-haste-map>micromatch"]},{"version":"4.0.5","paths":["react-scripts>babel-jest>@jest/transform>micromatch","react-scripts>jest>@jest/core>@jest/transform>micromatch","react-scripts>jest>@jest/core>@jest/reporters>@jest/transform>micromatch","react-scripts>jest>@jest/core>jest-config>babel-jest>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>babel-jest>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>jest-snapshot>@jest/transform>micromatch"]},{"version":"4.0.5","paths":["react-scripts>eslint-webpack-plugin>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>jest-message-util>micromatch","react-scripts>jest>@jest/core>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/reporters>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/reporters>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/globals>@jest/environment>@jest/fake-timers>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>jest-config>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>micromatch","react-scripts>jest>jest-cli>@jest/core>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest-watch-typeahead>jest-watcher>@jest/test-result>@jest/console>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>tailwindcss>micromatch"]},{"version":"4.0.5","paths":["http-proxy-middleware>micromatch","react-scripts>webpack-dev-server>http-proxy-middleware>micromatch"]},{"version":"4.0.7","paths":["micromatch"]}],"metadata":null,"vulnerable_versions":"<=4.0.7","module_name":"micromatch","severity":"moderate","github_advisory_id":"GHSA-952p-6rrq-rcjv","cves":["CVE-2024-4067"],"access":"public","patched_versions":"<0.0.0","cvss":{"score":0,"vectorString":null},"updated":"2024-08-21T22:59:40.000Z","recommendation":"None","cwe":["CWE-1333"],"found_by":null,"deleted":null,"id":1098615,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2024-4067\n- https://github.com/micromatch/micromatch/issues/243\n- https://github.com/micromatch/micromatch/pull/247\n- https://devhub.checkmarx.com/cve-details/CVE-2024-4067\n- https://github.com/micromatch/micromatch/blob/2c56a8604b68c1099e7bc0f807ce0865a339747a/index.js#L448\n- https://github.com/micromatch/micromatch/commit/d1641baf261e42ea437f3750c44f20cec0b33e1b\n- https://github.com/advisories/GHSA-952p-6rrq-rcjv","created":"2024-05-14T18:30:54.000Z","reported_by":null,"title":"Regular Expression Denial of Service (ReDoS) in micromatch","npm_advisory_id":null,"overview":"The NPM package `micromatch` is vulnerable to Regular Expression Denial of Service (ReDoS). The vulnerability occurs in `micromatch.braces()` in `index.js` because the pattern `.*` will greedily match anything. By passing a malicious payload, the pattern matching will keep backtracking to the input while it doesn't find the closing bracket. As the input size increases, the consumption time will also increase until it causes the application to hang or slow down. There was a merged fix but further testing shows the issue persists. This issue should be mitigated by using a safe pattern that won't start backtracking the regular expression due to greedy matching.\n","url":"https://github.com/advisories/GHSA-952p-6rrq-rcjv"}}} -{"type":"auditAdvisory","data":{"resolution":{"id":1098615,"path":"react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/transform>jest-haste-map>micromatch","dev":false,"bundled":false,"optional":false},"advisory":{"findings":[{"version":"4.0.5","paths":["@testing-library/jest-dom>@types/testing-library__jest-dom>@types/jest>expect>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>tailwindcss>fast-glob>micromatch","react-scripts>react-dev-utils>globby>fast-glob>micromatch","eslint-plugin-jest>@typescript-eslint/experimental-utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/parser>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest-resolve>jest-haste-map>micromatch","react-scripts>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>@jest/reporters>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>jest-config>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>jest-snapshot>@jest/transform>jest-haste-map>micromatch"]},{"version":"4.0.5","paths":["react-scripts>babel-jest>@jest/transform>micromatch","react-scripts>jest>@jest/core>@jest/transform>micromatch","react-scripts>jest>@jest/core>@jest/reporters>@jest/transform>micromatch","react-scripts>jest>@jest/core>jest-config>babel-jest>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>babel-jest>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>jest-snapshot>@jest/transform>micromatch"]},{"version":"4.0.5","paths":["react-scripts>eslint-webpack-plugin>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>jest-message-util>micromatch","react-scripts>jest>@jest/core>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/reporters>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/reporters>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/globals>@jest/environment>@jest/fake-timers>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>jest-config>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>micromatch","react-scripts>jest>jest-cli>@jest/core>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest-watch-typeahead>jest-watcher>@jest/test-result>@jest/console>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>tailwindcss>micromatch"]},{"version":"4.0.5","paths":["http-proxy-middleware>micromatch","react-scripts>webpack-dev-server>http-proxy-middleware>micromatch"]},{"version":"4.0.7","paths":["micromatch"]}],"metadata":null,"vulnerable_versions":"<=4.0.7","module_name":"micromatch","severity":"moderate","github_advisory_id":"GHSA-952p-6rrq-rcjv","cves":["CVE-2024-4067"],"access":"public","patched_versions":"<0.0.0","cvss":{"score":0,"vectorString":null},"updated":"2024-08-21T22:59:40.000Z","recommendation":"None","cwe":["CWE-1333"],"found_by":null,"deleted":null,"id":1098615,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2024-4067\n- https://github.com/micromatch/micromatch/issues/243\n- https://github.com/micromatch/micromatch/pull/247\n- https://devhub.checkmarx.com/cve-details/CVE-2024-4067\n- https://github.com/micromatch/micromatch/blob/2c56a8604b68c1099e7bc0f807ce0865a339747a/index.js#L448\n- https://github.com/micromatch/micromatch/commit/d1641baf261e42ea437f3750c44f20cec0b33e1b\n- https://github.com/advisories/GHSA-952p-6rrq-rcjv","created":"2024-05-14T18:30:54.000Z","reported_by":null,"title":"Regular Expression Denial of Service (ReDoS) in micromatch","npm_advisory_id":null,"overview":"The NPM package `micromatch` is vulnerable to Regular Expression Denial of Service (ReDoS). The vulnerability occurs in `micromatch.braces()` in `index.js` because the pattern `.*` will greedily match anything. By passing a malicious payload, the pattern matching will keep backtracking to the input while it doesn't find the closing bracket. As the input size increases, the consumption time will also increase until it causes the application to hang or slow down. There was a merged fix but further testing shows the issue persists. This issue should be mitigated by using a safe pattern that won't start backtracking the regular expression due to greedy matching.\n","url":"https://github.com/advisories/GHSA-952p-6rrq-rcjv"}}} -{"type":"auditAdvisory","data":{"resolution":{"id":1098615,"path":"react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>jest-snapshot>@jest/transform>jest-haste-map>micromatch","dev":false,"bundled":false,"optional":false},"advisory":{"findings":[{"version":"4.0.5","paths":["@testing-library/jest-dom>@types/testing-library__jest-dom>@types/jest>expect>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>tailwindcss>fast-glob>micromatch","react-scripts>react-dev-utils>globby>fast-glob>micromatch","eslint-plugin-jest>@typescript-eslint/experimental-utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/parser>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest-resolve>jest-haste-map>micromatch","react-scripts>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>@jest/reporters>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>jest-config>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>jest-snapshot>@jest/transform>jest-haste-map>micromatch"]},{"version":"4.0.5","paths":["react-scripts>babel-jest>@jest/transform>micromatch","react-scripts>jest>@jest/core>@jest/transform>micromatch","react-scripts>jest>@jest/core>@jest/reporters>@jest/transform>micromatch","react-scripts>jest>@jest/core>jest-config>babel-jest>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>babel-jest>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>jest-snapshot>@jest/transform>micromatch"]},{"version":"4.0.5","paths":["react-scripts>eslint-webpack-plugin>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>jest-message-util>micromatch","react-scripts>jest>@jest/core>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/reporters>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/reporters>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/globals>@jest/environment>@jest/fake-timers>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>jest-config>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>micromatch","react-scripts>jest>jest-cli>@jest/core>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest-watch-typeahead>jest-watcher>@jest/test-result>@jest/console>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>tailwindcss>micromatch"]},{"version":"4.0.5","paths":["http-proxy-middleware>micromatch","react-scripts>webpack-dev-server>http-proxy-middleware>micromatch"]},{"version":"4.0.7","paths":["micromatch"]}],"metadata":null,"vulnerable_versions":"<=4.0.7","module_name":"micromatch","severity":"moderate","github_advisory_id":"GHSA-952p-6rrq-rcjv","cves":["CVE-2024-4067"],"access":"public","patched_versions":"<0.0.0","cvss":{"score":0,"vectorString":null},"updated":"2024-08-21T22:59:40.000Z","recommendation":"None","cwe":["CWE-1333"],"found_by":null,"deleted":null,"id":1098615,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2024-4067\n- https://github.com/micromatch/micromatch/issues/243\n- https://github.com/micromatch/micromatch/pull/247\n- https://devhub.checkmarx.com/cve-details/CVE-2024-4067\n- https://github.com/micromatch/micromatch/blob/2c56a8604b68c1099e7bc0f807ce0865a339747a/index.js#L448\n- https://github.com/micromatch/micromatch/commit/d1641baf261e42ea437f3750c44f20cec0b33e1b\n- https://github.com/advisories/GHSA-952p-6rrq-rcjv","created":"2024-05-14T18:30:54.000Z","reported_by":null,"title":"Regular Expression Denial of Service (ReDoS) in micromatch","npm_advisory_id":null,"overview":"The NPM package `micromatch` is vulnerable to Regular Expression Denial of Service (ReDoS). The vulnerability occurs in `micromatch.braces()` in `index.js` because the pattern `.*` will greedily match anything. By passing a malicious payload, the pattern matching will keep backtracking to the input while it doesn't find the closing bracket. As the input size increases, the consumption time will also increase until it causes the application to hang or slow down. There was a merged fix but further testing shows the issue persists. This issue should be mitigated by using a safe pattern that won't start backtracking the regular expression due to greedy matching.\n","url":"https://github.com/advisories/GHSA-952p-6rrq-rcjv"}}} -{"type":"auditAdvisory","data":{"resolution":{"id":1098615,"path":"react-scripts>babel-jest>@jest/transform>micromatch","dev":false,"bundled":false,"optional":false},"advisory":{"findings":[{"version":"4.0.5","paths":["@testing-library/jest-dom>@types/testing-library__jest-dom>@types/jest>expect>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>tailwindcss>fast-glob>micromatch","react-scripts>react-dev-utils>globby>fast-glob>micromatch","eslint-plugin-jest>@typescript-eslint/experimental-utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/parser>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest-resolve>jest-haste-map>micromatch","react-scripts>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>@jest/reporters>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>jest-config>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>jest-snapshot>@jest/transform>jest-haste-map>micromatch"]},{"version":"4.0.5","paths":["react-scripts>babel-jest>@jest/transform>micromatch","react-scripts>jest>@jest/core>@jest/transform>micromatch","react-scripts>jest>@jest/core>@jest/reporters>@jest/transform>micromatch","react-scripts>jest>@jest/core>jest-config>babel-jest>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>babel-jest>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>jest-snapshot>@jest/transform>micromatch"]},{"version":"4.0.5","paths":["react-scripts>eslint-webpack-plugin>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>jest-message-util>micromatch","react-scripts>jest>@jest/core>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/reporters>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/reporters>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/globals>@jest/environment>@jest/fake-timers>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>jest-config>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>micromatch","react-scripts>jest>jest-cli>@jest/core>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest-watch-typeahead>jest-watcher>@jest/test-result>@jest/console>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>tailwindcss>micromatch"]},{"version":"4.0.5","paths":["http-proxy-middleware>micromatch","react-scripts>webpack-dev-server>http-proxy-middleware>micromatch"]},{"version":"4.0.7","paths":["micromatch"]}],"metadata":null,"vulnerable_versions":"<=4.0.7","module_name":"micromatch","severity":"moderate","github_advisory_id":"GHSA-952p-6rrq-rcjv","cves":["CVE-2024-4067"],"access":"public","patched_versions":"<0.0.0","cvss":{"score":0,"vectorString":null},"updated":"2024-08-21T22:59:40.000Z","recommendation":"None","cwe":["CWE-1333"],"found_by":null,"deleted":null,"id":1098615,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2024-4067\n- https://github.com/micromatch/micromatch/issues/243\n- https://github.com/micromatch/micromatch/pull/247\n- https://devhub.checkmarx.com/cve-details/CVE-2024-4067\n- https://github.com/micromatch/micromatch/blob/2c56a8604b68c1099e7bc0f807ce0865a339747a/index.js#L448\n- https://github.com/micromatch/micromatch/commit/d1641baf261e42ea437f3750c44f20cec0b33e1b\n- https://github.com/advisories/GHSA-952p-6rrq-rcjv","created":"2024-05-14T18:30:54.000Z","reported_by":null,"title":"Regular Expression Denial of Service (ReDoS) in micromatch","npm_advisory_id":null,"overview":"The NPM package `micromatch` is vulnerable to Regular Expression Denial of Service (ReDoS). The vulnerability occurs in `micromatch.braces()` in `index.js` because the pattern `.*` will greedily match anything. By passing a malicious payload, the pattern matching will keep backtracking to the input while it doesn't find the closing bracket. As the input size increases, the consumption time will also increase until it causes the application to hang or slow down. There was a merged fix but further testing shows the issue persists. This issue should be mitigated by using a safe pattern that won't start backtracking the regular expression due to greedy matching.\n","url":"https://github.com/advisories/GHSA-952p-6rrq-rcjv"}}} -{"type":"auditAdvisory","data":{"resolution":{"id":1098615,"path":"react-scripts>jest>@jest/core>@jest/transform>micromatch","dev":false,"bundled":false,"optional":false},"advisory":{"findings":[{"version":"4.0.5","paths":["@testing-library/jest-dom>@types/testing-library__jest-dom>@types/jest>expect>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>tailwindcss>fast-glob>micromatch","react-scripts>react-dev-utils>globby>fast-glob>micromatch","eslint-plugin-jest>@typescript-eslint/experimental-utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/parser>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest-resolve>jest-haste-map>micromatch","react-scripts>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>@jest/reporters>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>jest-config>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>jest-snapshot>@jest/transform>jest-haste-map>micromatch"]},{"version":"4.0.5","paths":["react-scripts>babel-jest>@jest/transform>micromatch","react-scripts>jest>@jest/core>@jest/transform>micromatch","react-scripts>jest>@jest/core>@jest/reporters>@jest/transform>micromatch","react-scripts>jest>@jest/core>jest-config>babel-jest>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>babel-jest>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>jest-snapshot>@jest/transform>micromatch"]},{"version":"4.0.5","paths":["react-scripts>eslint-webpack-plugin>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>jest-message-util>micromatch","react-scripts>jest>@jest/core>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/reporters>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/reporters>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/globals>@jest/environment>@jest/fake-timers>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>jest-config>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>micromatch","react-scripts>jest>jest-cli>@jest/core>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest-watch-typeahead>jest-watcher>@jest/test-result>@jest/console>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>tailwindcss>micromatch"]},{"version":"4.0.5","paths":["http-proxy-middleware>micromatch","react-scripts>webpack-dev-server>http-proxy-middleware>micromatch"]},{"version":"4.0.7","paths":["micromatch"]}],"metadata":null,"vulnerable_versions":"<=4.0.7","module_name":"micromatch","severity":"moderate","github_advisory_id":"GHSA-952p-6rrq-rcjv","cves":["CVE-2024-4067"],"access":"public","patched_versions":"<0.0.0","cvss":{"score":0,"vectorString":null},"updated":"2024-08-21T22:59:40.000Z","recommendation":"None","cwe":["CWE-1333"],"found_by":null,"deleted":null,"id":1098615,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2024-4067\n- https://github.com/micromatch/micromatch/issues/243\n- https://github.com/micromatch/micromatch/pull/247\n- https://devhub.checkmarx.com/cve-details/CVE-2024-4067\n- https://github.com/micromatch/micromatch/blob/2c56a8604b68c1099e7bc0f807ce0865a339747a/index.js#L448\n- https://github.com/micromatch/micromatch/commit/d1641baf261e42ea437f3750c44f20cec0b33e1b\n- https://github.com/advisories/GHSA-952p-6rrq-rcjv","created":"2024-05-14T18:30:54.000Z","reported_by":null,"title":"Regular Expression Denial of Service (ReDoS) in micromatch","npm_advisory_id":null,"overview":"The NPM package `micromatch` is vulnerable to Regular Expression Denial of Service (ReDoS). The vulnerability occurs in `micromatch.braces()` in `index.js` because the pattern `.*` will greedily match anything. By passing a malicious payload, the pattern matching will keep backtracking to the input while it doesn't find the closing bracket. As the input size increases, the consumption time will also increase until it causes the application to hang or slow down. There was a merged fix but further testing shows the issue persists. This issue should be mitigated by using a safe pattern that won't start backtracking the regular expression due to greedy matching.\n","url":"https://github.com/advisories/GHSA-952p-6rrq-rcjv"}}} -{"type":"auditAdvisory","data":{"resolution":{"id":1098615,"path":"react-scripts>jest>@jest/core>@jest/reporters>@jest/transform>micromatch","dev":false,"bundled":false,"optional":false},"advisory":{"findings":[{"version":"4.0.5","paths":["@testing-library/jest-dom>@types/testing-library__jest-dom>@types/jest>expect>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>tailwindcss>fast-glob>micromatch","react-scripts>react-dev-utils>globby>fast-glob>micromatch","eslint-plugin-jest>@typescript-eslint/experimental-utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/parser>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest-resolve>jest-haste-map>micromatch","react-scripts>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>@jest/reporters>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>jest-config>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>jest-snapshot>@jest/transform>jest-haste-map>micromatch"]},{"version":"4.0.5","paths":["react-scripts>babel-jest>@jest/transform>micromatch","react-scripts>jest>@jest/core>@jest/transform>micromatch","react-scripts>jest>@jest/core>@jest/reporters>@jest/transform>micromatch","react-scripts>jest>@jest/core>jest-config>babel-jest>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>babel-jest>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>jest-snapshot>@jest/transform>micromatch"]},{"version":"4.0.5","paths":["react-scripts>eslint-webpack-plugin>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>jest-message-util>micromatch","react-scripts>jest>@jest/core>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/reporters>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/reporters>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/globals>@jest/environment>@jest/fake-timers>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>jest-config>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>micromatch","react-scripts>jest>jest-cli>@jest/core>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest-watch-typeahead>jest-watcher>@jest/test-result>@jest/console>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>tailwindcss>micromatch"]},{"version":"4.0.5","paths":["http-proxy-middleware>micromatch","react-scripts>webpack-dev-server>http-proxy-middleware>micromatch"]},{"version":"4.0.7","paths":["micromatch"]}],"metadata":null,"vulnerable_versions":"<=4.0.7","module_name":"micromatch","severity":"moderate","github_advisory_id":"GHSA-952p-6rrq-rcjv","cves":["CVE-2024-4067"],"access":"public","patched_versions":"<0.0.0","cvss":{"score":0,"vectorString":null},"updated":"2024-08-21T22:59:40.000Z","recommendation":"None","cwe":["CWE-1333"],"found_by":null,"deleted":null,"id":1098615,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2024-4067\n- https://github.com/micromatch/micromatch/issues/243\n- https://github.com/micromatch/micromatch/pull/247\n- https://devhub.checkmarx.com/cve-details/CVE-2024-4067\n- https://github.com/micromatch/micromatch/blob/2c56a8604b68c1099e7bc0f807ce0865a339747a/index.js#L448\n- https://github.com/micromatch/micromatch/commit/d1641baf261e42ea437f3750c44f20cec0b33e1b\n- https://github.com/advisories/GHSA-952p-6rrq-rcjv","created":"2024-05-14T18:30:54.000Z","reported_by":null,"title":"Regular Expression Denial of Service (ReDoS) in micromatch","npm_advisory_id":null,"overview":"The NPM package `micromatch` is vulnerable to Regular Expression Denial of Service (ReDoS). The vulnerability occurs in `micromatch.braces()` in `index.js` because the pattern `.*` will greedily match anything. By passing a malicious payload, the pattern matching will keep backtracking to the input while it doesn't find the closing bracket. As the input size increases, the consumption time will also increase until it causes the application to hang or slow down. There was a merged fix but further testing shows the issue persists. This issue should be mitigated by using a safe pattern that won't start backtracking the regular expression due to greedy matching.\n","url":"https://github.com/advisories/GHSA-952p-6rrq-rcjv"}}} -{"type":"auditAdvisory","data":{"resolution":{"id":1098615,"path":"react-scripts>jest>@jest/core>jest-config>babel-jest>@jest/transform>micromatch","dev":false,"bundled":false,"optional":false},"advisory":{"findings":[{"version":"4.0.5","paths":["@testing-library/jest-dom>@types/testing-library__jest-dom>@types/jest>expect>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>tailwindcss>fast-glob>micromatch","react-scripts>react-dev-utils>globby>fast-glob>micromatch","eslint-plugin-jest>@typescript-eslint/experimental-utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/parser>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest-resolve>jest-haste-map>micromatch","react-scripts>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>@jest/reporters>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>jest-config>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>jest-snapshot>@jest/transform>jest-haste-map>micromatch"]},{"version":"4.0.5","paths":["react-scripts>babel-jest>@jest/transform>micromatch","react-scripts>jest>@jest/core>@jest/transform>micromatch","react-scripts>jest>@jest/core>@jest/reporters>@jest/transform>micromatch","react-scripts>jest>@jest/core>jest-config>babel-jest>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>babel-jest>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>jest-snapshot>@jest/transform>micromatch"]},{"version":"4.0.5","paths":["react-scripts>eslint-webpack-plugin>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>jest-message-util>micromatch","react-scripts>jest>@jest/core>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/reporters>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/reporters>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/globals>@jest/environment>@jest/fake-timers>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>jest-config>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>micromatch","react-scripts>jest>jest-cli>@jest/core>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest-watch-typeahead>jest-watcher>@jest/test-result>@jest/console>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>tailwindcss>micromatch"]},{"version":"4.0.5","paths":["http-proxy-middleware>micromatch","react-scripts>webpack-dev-server>http-proxy-middleware>micromatch"]},{"version":"4.0.7","paths":["micromatch"]}],"metadata":null,"vulnerable_versions":"<=4.0.7","module_name":"micromatch","severity":"moderate","github_advisory_id":"GHSA-952p-6rrq-rcjv","cves":["CVE-2024-4067"],"access":"public","patched_versions":"<0.0.0","cvss":{"score":0,"vectorString":null},"updated":"2024-08-21T22:59:40.000Z","recommendation":"None","cwe":["CWE-1333"],"found_by":null,"deleted":null,"id":1098615,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2024-4067\n- https://github.com/micromatch/micromatch/issues/243\n- https://github.com/micromatch/micromatch/pull/247\n- https://devhub.checkmarx.com/cve-details/CVE-2024-4067\n- https://github.com/micromatch/micromatch/blob/2c56a8604b68c1099e7bc0f807ce0865a339747a/index.js#L448\n- https://github.com/micromatch/micromatch/commit/d1641baf261e42ea437f3750c44f20cec0b33e1b\n- https://github.com/advisories/GHSA-952p-6rrq-rcjv","created":"2024-05-14T18:30:54.000Z","reported_by":null,"title":"Regular Expression Denial of Service (ReDoS) in micromatch","npm_advisory_id":null,"overview":"The NPM package `micromatch` is vulnerable to Regular Expression Denial of Service (ReDoS). The vulnerability occurs in `micromatch.braces()` in `index.js` because the pattern `.*` will greedily match anything. By passing a malicious payload, the pattern matching will keep backtracking to the input while it doesn't find the closing bracket. As the input size increases, the consumption time will also increase until it causes the application to hang or slow down. There was a merged fix but further testing shows the issue persists. This issue should be mitigated by using a safe pattern that won't start backtracking the regular expression due to greedy matching.\n","url":"https://github.com/advisories/GHSA-952p-6rrq-rcjv"}}} -{"type":"auditAdvisory","data":{"resolution":{"id":1098615,"path":"react-scripts>jest>jest-cli>@jest/core>jest-config>babel-jest>@jest/transform>micromatch","dev":false,"bundled":false,"optional":false},"advisory":{"findings":[{"version":"4.0.5","paths":["@testing-library/jest-dom>@types/testing-library__jest-dom>@types/jest>expect>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>tailwindcss>fast-glob>micromatch","react-scripts>react-dev-utils>globby>fast-glob>micromatch","eslint-plugin-jest>@typescript-eslint/experimental-utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/parser>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest-resolve>jest-haste-map>micromatch","react-scripts>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>@jest/reporters>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>jest-config>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>jest-snapshot>@jest/transform>jest-haste-map>micromatch"]},{"version":"4.0.5","paths":["react-scripts>babel-jest>@jest/transform>micromatch","react-scripts>jest>@jest/core>@jest/transform>micromatch","react-scripts>jest>@jest/core>@jest/reporters>@jest/transform>micromatch","react-scripts>jest>@jest/core>jest-config>babel-jest>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>babel-jest>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>jest-snapshot>@jest/transform>micromatch"]},{"version":"4.0.5","paths":["react-scripts>eslint-webpack-plugin>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>jest-message-util>micromatch","react-scripts>jest>@jest/core>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/reporters>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/reporters>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/globals>@jest/environment>@jest/fake-timers>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>jest-config>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>micromatch","react-scripts>jest>jest-cli>@jest/core>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest-watch-typeahead>jest-watcher>@jest/test-result>@jest/console>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>tailwindcss>micromatch"]},{"version":"4.0.5","paths":["http-proxy-middleware>micromatch","react-scripts>webpack-dev-server>http-proxy-middleware>micromatch"]},{"version":"4.0.7","paths":["micromatch"]}],"metadata":null,"vulnerable_versions":"<=4.0.7","module_name":"micromatch","severity":"moderate","github_advisory_id":"GHSA-952p-6rrq-rcjv","cves":["CVE-2024-4067"],"access":"public","patched_versions":"<0.0.0","cvss":{"score":0,"vectorString":null},"updated":"2024-08-21T22:59:40.000Z","recommendation":"None","cwe":["CWE-1333"],"found_by":null,"deleted":null,"id":1098615,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2024-4067\n- https://github.com/micromatch/micromatch/issues/243\n- https://github.com/micromatch/micromatch/pull/247\n- https://devhub.checkmarx.com/cve-details/CVE-2024-4067\n- https://github.com/micromatch/micromatch/blob/2c56a8604b68c1099e7bc0f807ce0865a339747a/index.js#L448\n- https://github.com/micromatch/micromatch/commit/d1641baf261e42ea437f3750c44f20cec0b33e1b\n- https://github.com/advisories/GHSA-952p-6rrq-rcjv","created":"2024-05-14T18:30:54.000Z","reported_by":null,"title":"Regular Expression Denial of Service (ReDoS) in micromatch","npm_advisory_id":null,"overview":"The NPM package `micromatch` is vulnerable to Regular Expression Denial of Service (ReDoS). The vulnerability occurs in `micromatch.braces()` in `index.js` because the pattern `.*` will greedily match anything. By passing a malicious payload, the pattern matching will keep backtracking to the input while it doesn't find the closing bracket. As the input size increases, the consumption time will also increase until it causes the application to hang or slow down. There was a merged fix but further testing shows the issue persists. This issue should be mitigated by using a safe pattern that won't start backtracking the regular expression due to greedy matching.\n","url":"https://github.com/advisories/GHSA-952p-6rrq-rcjv"}}} -{"type":"auditAdvisory","data":{"resolution":{"id":1098615,"path":"react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/transform>micromatch","dev":false,"bundled":false,"optional":false},"advisory":{"findings":[{"version":"4.0.5","paths":["@testing-library/jest-dom>@types/testing-library__jest-dom>@types/jest>expect>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>tailwindcss>fast-glob>micromatch","react-scripts>react-dev-utils>globby>fast-glob>micromatch","eslint-plugin-jest>@typescript-eslint/experimental-utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/parser>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest-resolve>jest-haste-map>micromatch","react-scripts>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>@jest/reporters>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>jest-config>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>jest-snapshot>@jest/transform>jest-haste-map>micromatch"]},{"version":"4.0.5","paths":["react-scripts>babel-jest>@jest/transform>micromatch","react-scripts>jest>@jest/core>@jest/transform>micromatch","react-scripts>jest>@jest/core>@jest/reporters>@jest/transform>micromatch","react-scripts>jest>@jest/core>jest-config>babel-jest>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>babel-jest>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>jest-snapshot>@jest/transform>micromatch"]},{"version":"4.0.5","paths":["react-scripts>eslint-webpack-plugin>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>jest-message-util>micromatch","react-scripts>jest>@jest/core>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/reporters>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/reporters>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/globals>@jest/environment>@jest/fake-timers>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>jest-config>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>micromatch","react-scripts>jest>jest-cli>@jest/core>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest-watch-typeahead>jest-watcher>@jest/test-result>@jest/console>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>tailwindcss>micromatch"]},{"version":"4.0.5","paths":["http-proxy-middleware>micromatch","react-scripts>webpack-dev-server>http-proxy-middleware>micromatch"]},{"version":"4.0.7","paths":["micromatch"]}],"metadata":null,"vulnerable_versions":"<=4.0.7","module_name":"micromatch","severity":"moderate","github_advisory_id":"GHSA-952p-6rrq-rcjv","cves":["CVE-2024-4067"],"access":"public","patched_versions":"<0.0.0","cvss":{"score":0,"vectorString":null},"updated":"2024-08-21T22:59:40.000Z","recommendation":"None","cwe":["CWE-1333"],"found_by":null,"deleted":null,"id":1098615,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2024-4067\n- https://github.com/micromatch/micromatch/issues/243\n- https://github.com/micromatch/micromatch/pull/247\n- https://devhub.checkmarx.com/cve-details/CVE-2024-4067\n- https://github.com/micromatch/micromatch/blob/2c56a8604b68c1099e7bc0f807ce0865a339747a/index.js#L448\n- https://github.com/micromatch/micromatch/commit/d1641baf261e42ea437f3750c44f20cec0b33e1b\n- https://github.com/advisories/GHSA-952p-6rrq-rcjv","created":"2024-05-14T18:30:54.000Z","reported_by":null,"title":"Regular Expression Denial of Service (ReDoS) in micromatch","npm_advisory_id":null,"overview":"The NPM package `micromatch` is vulnerable to Regular Expression Denial of Service (ReDoS). The vulnerability occurs in `micromatch.braces()` in `index.js` because the pattern `.*` will greedily match anything. By passing a malicious payload, the pattern matching will keep backtracking to the input while it doesn't find the closing bracket. As the input size increases, the consumption time will also increase until it causes the application to hang or slow down. There was a merged fix but further testing shows the issue persists. This issue should be mitigated by using a safe pattern that won't start backtracking the regular expression due to greedy matching.\n","url":"https://github.com/advisories/GHSA-952p-6rrq-rcjv"}}} -{"type":"auditAdvisory","data":{"resolution":{"id":1098615,"path":"react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>jest-snapshot>@jest/transform>micromatch","dev":false,"bundled":false,"optional":false},"advisory":{"findings":[{"version":"4.0.5","paths":["@testing-library/jest-dom>@types/testing-library__jest-dom>@types/jest>expect>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>tailwindcss>fast-glob>micromatch","react-scripts>react-dev-utils>globby>fast-glob>micromatch","eslint-plugin-jest>@typescript-eslint/experimental-utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/parser>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest-resolve>jest-haste-map>micromatch","react-scripts>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>@jest/reporters>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>jest-config>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>jest-snapshot>@jest/transform>jest-haste-map>micromatch"]},{"version":"4.0.5","paths":["react-scripts>babel-jest>@jest/transform>micromatch","react-scripts>jest>@jest/core>@jest/transform>micromatch","react-scripts>jest>@jest/core>@jest/reporters>@jest/transform>micromatch","react-scripts>jest>@jest/core>jest-config>babel-jest>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>babel-jest>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>jest-snapshot>@jest/transform>micromatch"]},{"version":"4.0.5","paths":["react-scripts>eslint-webpack-plugin>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>jest-message-util>micromatch","react-scripts>jest>@jest/core>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/reporters>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/reporters>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/globals>@jest/environment>@jest/fake-timers>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>jest-config>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>micromatch","react-scripts>jest>jest-cli>@jest/core>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest-watch-typeahead>jest-watcher>@jest/test-result>@jest/console>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>tailwindcss>micromatch"]},{"version":"4.0.5","paths":["http-proxy-middleware>micromatch","react-scripts>webpack-dev-server>http-proxy-middleware>micromatch"]},{"version":"4.0.7","paths":["micromatch"]}],"metadata":null,"vulnerable_versions":"<=4.0.7","module_name":"micromatch","severity":"moderate","github_advisory_id":"GHSA-952p-6rrq-rcjv","cves":["CVE-2024-4067"],"access":"public","patched_versions":"<0.0.0","cvss":{"score":0,"vectorString":null},"updated":"2024-08-21T22:59:40.000Z","recommendation":"None","cwe":["CWE-1333"],"found_by":null,"deleted":null,"id":1098615,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2024-4067\n- https://github.com/micromatch/micromatch/issues/243\n- https://github.com/micromatch/micromatch/pull/247\n- https://devhub.checkmarx.com/cve-details/CVE-2024-4067\n- https://github.com/micromatch/micromatch/blob/2c56a8604b68c1099e7bc0f807ce0865a339747a/index.js#L448\n- https://github.com/micromatch/micromatch/commit/d1641baf261e42ea437f3750c44f20cec0b33e1b\n- https://github.com/advisories/GHSA-952p-6rrq-rcjv","created":"2024-05-14T18:30:54.000Z","reported_by":null,"title":"Regular Expression Denial of Service (ReDoS) in micromatch","npm_advisory_id":null,"overview":"The NPM package `micromatch` is vulnerable to Regular Expression Denial of Service (ReDoS). The vulnerability occurs in `micromatch.braces()` in `index.js` because the pattern `.*` will greedily match anything. By passing a malicious payload, the pattern matching will keep backtracking to the input while it doesn't find the closing bracket. As the input size increases, the consumption time will also increase until it causes the application to hang or slow down. There was a merged fix but further testing shows the issue persists. This issue should be mitigated by using a safe pattern that won't start backtracking the regular expression due to greedy matching.\n","url":"https://github.com/advisories/GHSA-952p-6rrq-rcjv"}}} -{"type":"auditAdvisory","data":{"resolution":{"id":1098615,"path":"react-scripts>eslint-webpack-plugin>micromatch","dev":false,"bundled":false,"optional":false},"advisory":{"findings":[{"version":"4.0.5","paths":["@testing-library/jest-dom>@types/testing-library__jest-dom>@types/jest>expect>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>tailwindcss>fast-glob>micromatch","react-scripts>react-dev-utils>globby>fast-glob>micromatch","eslint-plugin-jest>@typescript-eslint/experimental-utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/parser>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest-resolve>jest-haste-map>micromatch","react-scripts>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>@jest/reporters>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>jest-config>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>jest-snapshot>@jest/transform>jest-haste-map>micromatch"]},{"version":"4.0.5","paths":["react-scripts>babel-jest>@jest/transform>micromatch","react-scripts>jest>@jest/core>@jest/transform>micromatch","react-scripts>jest>@jest/core>@jest/reporters>@jest/transform>micromatch","react-scripts>jest>@jest/core>jest-config>babel-jest>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>babel-jest>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>jest-snapshot>@jest/transform>micromatch"]},{"version":"4.0.5","paths":["react-scripts>eslint-webpack-plugin>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>jest-message-util>micromatch","react-scripts>jest>@jest/core>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/reporters>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/reporters>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/globals>@jest/environment>@jest/fake-timers>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>jest-config>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>micromatch","react-scripts>jest>jest-cli>@jest/core>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest-watch-typeahead>jest-watcher>@jest/test-result>@jest/console>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>tailwindcss>micromatch"]},{"version":"4.0.5","paths":["http-proxy-middleware>micromatch","react-scripts>webpack-dev-server>http-proxy-middleware>micromatch"]},{"version":"4.0.7","paths":["micromatch"]}],"metadata":null,"vulnerable_versions":"<=4.0.7","module_name":"micromatch","severity":"moderate","github_advisory_id":"GHSA-952p-6rrq-rcjv","cves":["CVE-2024-4067"],"access":"public","patched_versions":"<0.0.0","cvss":{"score":0,"vectorString":null},"updated":"2024-08-21T22:59:40.000Z","recommendation":"None","cwe":["CWE-1333"],"found_by":null,"deleted":null,"id":1098615,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2024-4067\n- https://github.com/micromatch/micromatch/issues/243\n- https://github.com/micromatch/micromatch/pull/247\n- https://devhub.checkmarx.com/cve-details/CVE-2024-4067\n- https://github.com/micromatch/micromatch/blob/2c56a8604b68c1099e7bc0f807ce0865a339747a/index.js#L448\n- https://github.com/micromatch/micromatch/commit/d1641baf261e42ea437f3750c44f20cec0b33e1b\n- https://github.com/advisories/GHSA-952p-6rrq-rcjv","created":"2024-05-14T18:30:54.000Z","reported_by":null,"title":"Regular Expression Denial of Service (ReDoS) in micromatch","npm_advisory_id":null,"overview":"The NPM package `micromatch` is vulnerable to Regular Expression Denial of Service (ReDoS). The vulnerability occurs in `micromatch.braces()` in `index.js` because the pattern `.*` will greedily match anything. By passing a malicious payload, the pattern matching will keep backtracking to the input while it doesn't find the closing bracket. As the input size increases, the consumption time will also increase until it causes the application to hang or slow down. There was a merged fix but further testing shows the issue persists. This issue should be mitigated by using a safe pattern that won't start backtracking the regular expression due to greedy matching.\n","url":"https://github.com/advisories/GHSA-952p-6rrq-rcjv"}}} -{"type":"auditAdvisory","data":{"resolution":{"id":1098615,"path":"react-scripts>jest>@jest/core>jest-message-util>micromatch","dev":false,"bundled":false,"optional":false},"advisory":{"findings":[{"version":"4.0.5","paths":["@testing-library/jest-dom>@types/testing-library__jest-dom>@types/jest>expect>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>tailwindcss>fast-glob>micromatch","react-scripts>react-dev-utils>globby>fast-glob>micromatch","eslint-plugin-jest>@typescript-eslint/experimental-utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/parser>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest-resolve>jest-haste-map>micromatch","react-scripts>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>@jest/reporters>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>jest-config>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>jest-snapshot>@jest/transform>jest-haste-map>micromatch"]},{"version":"4.0.5","paths":["react-scripts>babel-jest>@jest/transform>micromatch","react-scripts>jest>@jest/core>@jest/transform>micromatch","react-scripts>jest>@jest/core>@jest/reporters>@jest/transform>micromatch","react-scripts>jest>@jest/core>jest-config>babel-jest>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>babel-jest>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>jest-snapshot>@jest/transform>micromatch"]},{"version":"4.0.5","paths":["react-scripts>eslint-webpack-plugin>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>jest-message-util>micromatch","react-scripts>jest>@jest/core>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/reporters>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/reporters>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/globals>@jest/environment>@jest/fake-timers>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>jest-config>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>micromatch","react-scripts>jest>jest-cli>@jest/core>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest-watch-typeahead>jest-watcher>@jest/test-result>@jest/console>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>tailwindcss>micromatch"]},{"version":"4.0.5","paths":["http-proxy-middleware>micromatch","react-scripts>webpack-dev-server>http-proxy-middleware>micromatch"]},{"version":"4.0.7","paths":["micromatch"]}],"metadata":null,"vulnerable_versions":"<=4.0.7","module_name":"micromatch","severity":"moderate","github_advisory_id":"GHSA-952p-6rrq-rcjv","cves":["CVE-2024-4067"],"access":"public","patched_versions":"<0.0.0","cvss":{"score":0,"vectorString":null},"updated":"2024-08-21T22:59:40.000Z","recommendation":"None","cwe":["CWE-1333"],"found_by":null,"deleted":null,"id":1098615,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2024-4067\n- https://github.com/micromatch/micromatch/issues/243\n- https://github.com/micromatch/micromatch/pull/247\n- https://devhub.checkmarx.com/cve-details/CVE-2024-4067\n- https://github.com/micromatch/micromatch/blob/2c56a8604b68c1099e7bc0f807ce0865a339747a/index.js#L448\n- https://github.com/micromatch/micromatch/commit/d1641baf261e42ea437f3750c44f20cec0b33e1b\n- https://github.com/advisories/GHSA-952p-6rrq-rcjv","created":"2024-05-14T18:30:54.000Z","reported_by":null,"title":"Regular Expression Denial of Service (ReDoS) in micromatch","npm_advisory_id":null,"overview":"The NPM package `micromatch` is vulnerable to Regular Expression Denial of Service (ReDoS). The vulnerability occurs in `micromatch.braces()` in `index.js` because the pattern `.*` will greedily match anything. By passing a malicious payload, the pattern matching will keep backtracking to the input while it doesn't find the closing bracket. As the input size increases, the consumption time will also increase until it causes the application to hang or slow down. There was a merged fix but further testing shows the issue persists. This issue should be mitigated by using a safe pattern that won't start backtracking the regular expression due to greedy matching.\n","url":"https://github.com/advisories/GHSA-952p-6rrq-rcjv"}}} -{"type":"auditAdvisory","data":{"resolution":{"id":1098615,"path":"react-scripts>jest>@jest/core>@jest/console>jest-message-util>micromatch","dev":false,"bundled":false,"optional":false},"advisory":{"findings":[{"version":"4.0.5","paths":["@testing-library/jest-dom>@types/testing-library__jest-dom>@types/jest>expect>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>tailwindcss>fast-glob>micromatch","react-scripts>react-dev-utils>globby>fast-glob>micromatch","eslint-plugin-jest>@typescript-eslint/experimental-utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/parser>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest-resolve>jest-haste-map>micromatch","react-scripts>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>@jest/reporters>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>jest-config>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>jest-snapshot>@jest/transform>jest-haste-map>micromatch"]},{"version":"4.0.5","paths":["react-scripts>babel-jest>@jest/transform>micromatch","react-scripts>jest>@jest/core>@jest/transform>micromatch","react-scripts>jest>@jest/core>@jest/reporters>@jest/transform>micromatch","react-scripts>jest>@jest/core>jest-config>babel-jest>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>babel-jest>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>jest-snapshot>@jest/transform>micromatch"]},{"version":"4.0.5","paths":["react-scripts>eslint-webpack-plugin>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>jest-message-util>micromatch","react-scripts>jest>@jest/core>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/reporters>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/reporters>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/globals>@jest/environment>@jest/fake-timers>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>jest-config>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>micromatch","react-scripts>jest>jest-cli>@jest/core>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest-watch-typeahead>jest-watcher>@jest/test-result>@jest/console>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>tailwindcss>micromatch"]},{"version":"4.0.5","paths":["http-proxy-middleware>micromatch","react-scripts>webpack-dev-server>http-proxy-middleware>micromatch"]},{"version":"4.0.7","paths":["micromatch"]}],"metadata":null,"vulnerable_versions":"<=4.0.7","module_name":"micromatch","severity":"moderate","github_advisory_id":"GHSA-952p-6rrq-rcjv","cves":["CVE-2024-4067"],"access":"public","patched_versions":"<0.0.0","cvss":{"score":0,"vectorString":null},"updated":"2024-08-21T22:59:40.000Z","recommendation":"None","cwe":["CWE-1333"],"found_by":null,"deleted":null,"id":1098615,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2024-4067\n- https://github.com/micromatch/micromatch/issues/243\n- https://github.com/micromatch/micromatch/pull/247\n- https://devhub.checkmarx.com/cve-details/CVE-2024-4067\n- https://github.com/micromatch/micromatch/blob/2c56a8604b68c1099e7bc0f807ce0865a339747a/index.js#L448\n- https://github.com/micromatch/micromatch/commit/d1641baf261e42ea437f3750c44f20cec0b33e1b\n- https://github.com/advisories/GHSA-952p-6rrq-rcjv","created":"2024-05-14T18:30:54.000Z","reported_by":null,"title":"Regular Expression Denial of Service (ReDoS) in micromatch","npm_advisory_id":null,"overview":"The NPM package `micromatch` is vulnerable to Regular Expression Denial of Service (ReDoS). The vulnerability occurs in `micromatch.braces()` in `index.js` because the pattern `.*` will greedily match anything. By passing a malicious payload, the pattern matching will keep backtracking to the input while it doesn't find the closing bracket. As the input size increases, the consumption time will also increase until it causes the application to hang or slow down. There was a merged fix but further testing shows the issue persists. This issue should be mitigated by using a safe pattern that won't start backtracking the regular expression due to greedy matching.\n","url":"https://github.com/advisories/GHSA-952p-6rrq-rcjv"}}} -{"type":"auditAdvisory","data":{"resolution":{"id":1098615,"path":"react-scripts>jest>jest-cli>@jest/core>@jest/console>jest-message-util>micromatch","dev":false,"bundled":false,"optional":false},"advisory":{"findings":[{"version":"4.0.5","paths":["@testing-library/jest-dom>@types/testing-library__jest-dom>@types/jest>expect>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>tailwindcss>fast-glob>micromatch","react-scripts>react-dev-utils>globby>fast-glob>micromatch","eslint-plugin-jest>@typescript-eslint/experimental-utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/parser>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest-resolve>jest-haste-map>micromatch","react-scripts>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>@jest/reporters>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>jest-config>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>jest-snapshot>@jest/transform>jest-haste-map>micromatch"]},{"version":"4.0.5","paths":["react-scripts>babel-jest>@jest/transform>micromatch","react-scripts>jest>@jest/core>@jest/transform>micromatch","react-scripts>jest>@jest/core>@jest/reporters>@jest/transform>micromatch","react-scripts>jest>@jest/core>jest-config>babel-jest>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>babel-jest>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>jest-snapshot>@jest/transform>micromatch"]},{"version":"4.0.5","paths":["react-scripts>eslint-webpack-plugin>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>jest-message-util>micromatch","react-scripts>jest>@jest/core>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/reporters>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/reporters>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/globals>@jest/environment>@jest/fake-timers>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>jest-config>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>micromatch","react-scripts>jest>jest-cli>@jest/core>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest-watch-typeahead>jest-watcher>@jest/test-result>@jest/console>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>tailwindcss>micromatch"]},{"version":"4.0.5","paths":["http-proxy-middleware>micromatch","react-scripts>webpack-dev-server>http-proxy-middleware>micromatch"]},{"version":"4.0.7","paths":["micromatch"]}],"metadata":null,"vulnerable_versions":"<=4.0.7","module_name":"micromatch","severity":"moderate","github_advisory_id":"GHSA-952p-6rrq-rcjv","cves":["CVE-2024-4067"],"access":"public","patched_versions":"<0.0.0","cvss":{"score":0,"vectorString":null},"updated":"2024-08-21T22:59:40.000Z","recommendation":"None","cwe":["CWE-1333"],"found_by":null,"deleted":null,"id":1098615,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2024-4067\n- https://github.com/micromatch/micromatch/issues/243\n- https://github.com/micromatch/micromatch/pull/247\n- https://devhub.checkmarx.com/cve-details/CVE-2024-4067\n- https://github.com/micromatch/micromatch/blob/2c56a8604b68c1099e7bc0f807ce0865a339747a/index.js#L448\n- https://github.com/micromatch/micromatch/commit/d1641baf261e42ea437f3750c44f20cec0b33e1b\n- https://github.com/advisories/GHSA-952p-6rrq-rcjv","created":"2024-05-14T18:30:54.000Z","reported_by":null,"title":"Regular Expression Denial of Service (ReDoS) in micromatch","npm_advisory_id":null,"overview":"The NPM package `micromatch` is vulnerable to Regular Expression Denial of Service (ReDoS). The vulnerability occurs in `micromatch.braces()` in `index.js` because the pattern `.*` will greedily match anything. By passing a malicious payload, the pattern matching will keep backtracking to the input while it doesn't find the closing bracket. As the input size increases, the consumption time will also increase until it causes the application to hang or slow down. There was a merged fix but further testing shows the issue persists. This issue should be mitigated by using a safe pattern that won't start backtracking the regular expression due to greedy matching.\n","url":"https://github.com/advisories/GHSA-952p-6rrq-rcjv"}}} -{"type":"auditAdvisory","data":{"resolution":{"id":1098615,"path":"react-scripts>jest>jest-cli>@jest/core>@jest/reporters>@jest/console>jest-message-util>micromatch","dev":false,"bundled":false,"optional":false},"advisory":{"findings":[{"version":"4.0.5","paths":["@testing-library/jest-dom>@types/testing-library__jest-dom>@types/jest>expect>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>tailwindcss>fast-glob>micromatch","react-scripts>react-dev-utils>globby>fast-glob>micromatch","eslint-plugin-jest>@typescript-eslint/experimental-utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/parser>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest-resolve>jest-haste-map>micromatch","react-scripts>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>@jest/reporters>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>jest-config>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>jest-snapshot>@jest/transform>jest-haste-map>micromatch"]},{"version":"4.0.5","paths":["react-scripts>babel-jest>@jest/transform>micromatch","react-scripts>jest>@jest/core>@jest/transform>micromatch","react-scripts>jest>@jest/core>@jest/reporters>@jest/transform>micromatch","react-scripts>jest>@jest/core>jest-config>babel-jest>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>babel-jest>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>jest-snapshot>@jest/transform>micromatch"]},{"version":"4.0.5","paths":["react-scripts>eslint-webpack-plugin>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>jest-message-util>micromatch","react-scripts>jest>@jest/core>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/reporters>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/reporters>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/globals>@jest/environment>@jest/fake-timers>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>jest-config>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>micromatch","react-scripts>jest>jest-cli>@jest/core>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest-watch-typeahead>jest-watcher>@jest/test-result>@jest/console>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>tailwindcss>micromatch"]},{"version":"4.0.5","paths":["http-proxy-middleware>micromatch","react-scripts>webpack-dev-server>http-proxy-middleware>micromatch"]},{"version":"4.0.7","paths":["micromatch"]}],"metadata":null,"vulnerable_versions":"<=4.0.7","module_name":"micromatch","severity":"moderate","github_advisory_id":"GHSA-952p-6rrq-rcjv","cves":["CVE-2024-4067"],"access":"public","patched_versions":"<0.0.0","cvss":{"score":0,"vectorString":null},"updated":"2024-08-21T22:59:40.000Z","recommendation":"None","cwe":["CWE-1333"],"found_by":null,"deleted":null,"id":1098615,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2024-4067\n- https://github.com/micromatch/micromatch/issues/243\n- https://github.com/micromatch/micromatch/pull/247\n- https://devhub.checkmarx.com/cve-details/CVE-2024-4067\n- https://github.com/micromatch/micromatch/blob/2c56a8604b68c1099e7bc0f807ce0865a339747a/index.js#L448\n- https://github.com/micromatch/micromatch/commit/d1641baf261e42ea437f3750c44f20cec0b33e1b\n- https://github.com/advisories/GHSA-952p-6rrq-rcjv","created":"2024-05-14T18:30:54.000Z","reported_by":null,"title":"Regular Expression Denial of Service (ReDoS) in micromatch","npm_advisory_id":null,"overview":"The NPM package `micromatch` is vulnerable to Regular Expression Denial of Service (ReDoS). The vulnerability occurs in `micromatch.braces()` in `index.js` because the pattern `.*` will greedily match anything. By passing a malicious payload, the pattern matching will keep backtracking to the input while it doesn't find the closing bracket. As the input size increases, the consumption time will also increase until it causes the application to hang or slow down. There was a merged fix but further testing shows the issue persists. This issue should be mitigated by using a safe pattern that won't start backtracking the regular expression due to greedy matching.\n","url":"https://github.com/advisories/GHSA-952p-6rrq-rcjv"}}} -{"type":"auditAdvisory","data":{"resolution":{"id":1098615,"path":"react-scripts>jest>jest-cli>@jest/core>@jest/reporters>@jest/test-result>@jest/console>jest-message-util>micromatch","dev":false,"bundled":false,"optional":false},"advisory":{"findings":[{"version":"4.0.5","paths":["@testing-library/jest-dom>@types/testing-library__jest-dom>@types/jest>expect>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>tailwindcss>fast-glob>micromatch","react-scripts>react-dev-utils>globby>fast-glob>micromatch","eslint-plugin-jest>@typescript-eslint/experimental-utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/parser>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest-resolve>jest-haste-map>micromatch","react-scripts>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>@jest/reporters>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>jest-config>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>jest-snapshot>@jest/transform>jest-haste-map>micromatch"]},{"version":"4.0.5","paths":["react-scripts>babel-jest>@jest/transform>micromatch","react-scripts>jest>@jest/core>@jest/transform>micromatch","react-scripts>jest>@jest/core>@jest/reporters>@jest/transform>micromatch","react-scripts>jest>@jest/core>jest-config>babel-jest>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>babel-jest>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>jest-snapshot>@jest/transform>micromatch"]},{"version":"4.0.5","paths":["react-scripts>eslint-webpack-plugin>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>jest-message-util>micromatch","react-scripts>jest>@jest/core>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/reporters>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/reporters>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/globals>@jest/environment>@jest/fake-timers>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>jest-config>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>micromatch","react-scripts>jest>jest-cli>@jest/core>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest-watch-typeahead>jest-watcher>@jest/test-result>@jest/console>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>tailwindcss>micromatch"]},{"version":"4.0.5","paths":["http-proxy-middleware>micromatch","react-scripts>webpack-dev-server>http-proxy-middleware>micromatch"]},{"version":"4.0.7","paths":["micromatch"]}],"metadata":null,"vulnerable_versions":"<=4.0.7","module_name":"micromatch","severity":"moderate","github_advisory_id":"GHSA-952p-6rrq-rcjv","cves":["CVE-2024-4067"],"access":"public","patched_versions":"<0.0.0","cvss":{"score":0,"vectorString":null},"updated":"2024-08-21T22:59:40.000Z","recommendation":"None","cwe":["CWE-1333"],"found_by":null,"deleted":null,"id":1098615,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2024-4067\n- https://github.com/micromatch/micromatch/issues/243\n- https://github.com/micromatch/micromatch/pull/247\n- https://devhub.checkmarx.com/cve-details/CVE-2024-4067\n- https://github.com/micromatch/micromatch/blob/2c56a8604b68c1099e7bc0f807ce0865a339747a/index.js#L448\n- https://github.com/micromatch/micromatch/commit/d1641baf261e42ea437f3750c44f20cec0b33e1b\n- https://github.com/advisories/GHSA-952p-6rrq-rcjv","created":"2024-05-14T18:30:54.000Z","reported_by":null,"title":"Regular Expression Denial of Service (ReDoS) in micromatch","npm_advisory_id":null,"overview":"The NPM package `micromatch` is vulnerable to Regular Expression Denial of Service (ReDoS). The vulnerability occurs in `micromatch.braces()` in `index.js` because the pattern `.*` will greedily match anything. By passing a malicious payload, the pattern matching will keep backtracking to the input while it doesn't find the closing bracket. As the input size increases, the consumption time will also increase until it causes the application to hang or slow down. There was a merged fix but further testing shows the issue persists. This issue should be mitigated by using a safe pattern that won't start backtracking the regular expression due to greedy matching.\n","url":"https://github.com/advisories/GHSA-952p-6rrq-rcjv"}}} -{"type":"auditAdvisory","data":{"resolution":{"id":1098615,"path":"react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>@jest/test-result>@jest/console>jest-message-util>micromatch","dev":false,"bundled":false,"optional":false},"advisory":{"findings":[{"version":"4.0.5","paths":["@testing-library/jest-dom>@types/testing-library__jest-dom>@types/jest>expect>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>tailwindcss>fast-glob>micromatch","react-scripts>react-dev-utils>globby>fast-glob>micromatch","eslint-plugin-jest>@typescript-eslint/experimental-utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/parser>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest-resolve>jest-haste-map>micromatch","react-scripts>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>@jest/reporters>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>jest-config>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>jest-snapshot>@jest/transform>jest-haste-map>micromatch"]},{"version":"4.0.5","paths":["react-scripts>babel-jest>@jest/transform>micromatch","react-scripts>jest>@jest/core>@jest/transform>micromatch","react-scripts>jest>@jest/core>@jest/reporters>@jest/transform>micromatch","react-scripts>jest>@jest/core>jest-config>babel-jest>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>babel-jest>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>jest-snapshot>@jest/transform>micromatch"]},{"version":"4.0.5","paths":["react-scripts>eslint-webpack-plugin>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>jest-message-util>micromatch","react-scripts>jest>@jest/core>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/reporters>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/reporters>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/globals>@jest/environment>@jest/fake-timers>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>jest-config>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>micromatch","react-scripts>jest>jest-cli>@jest/core>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest-watch-typeahead>jest-watcher>@jest/test-result>@jest/console>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>tailwindcss>micromatch"]},{"version":"4.0.5","paths":["http-proxy-middleware>micromatch","react-scripts>webpack-dev-server>http-proxy-middleware>micromatch"]},{"version":"4.0.7","paths":["micromatch"]}],"metadata":null,"vulnerable_versions":"<=4.0.7","module_name":"micromatch","severity":"moderate","github_advisory_id":"GHSA-952p-6rrq-rcjv","cves":["CVE-2024-4067"],"access":"public","patched_versions":"<0.0.0","cvss":{"score":0,"vectorString":null},"updated":"2024-08-21T22:59:40.000Z","recommendation":"None","cwe":["CWE-1333"],"found_by":null,"deleted":null,"id":1098615,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2024-4067\n- https://github.com/micromatch/micromatch/issues/243\n- https://github.com/micromatch/micromatch/pull/247\n- https://devhub.checkmarx.com/cve-details/CVE-2024-4067\n- https://github.com/micromatch/micromatch/blob/2c56a8604b68c1099e7bc0f807ce0865a339747a/index.js#L448\n- https://github.com/micromatch/micromatch/commit/d1641baf261e42ea437f3750c44f20cec0b33e1b\n- https://github.com/advisories/GHSA-952p-6rrq-rcjv","created":"2024-05-14T18:30:54.000Z","reported_by":null,"title":"Regular Expression Denial of Service (ReDoS) in micromatch","npm_advisory_id":null,"overview":"The NPM package `micromatch` is vulnerable to Regular Expression Denial of Service (ReDoS). The vulnerability occurs in `micromatch.braces()` in `index.js` because the pattern `.*` will greedily match anything. By passing a malicious payload, the pattern matching will keep backtracking to the input while it doesn't find the closing bracket. As the input size increases, the consumption time will also increase until it causes the application to hang or slow down. There was a merged fix but further testing shows the issue persists. This issue should be mitigated by using a safe pattern that won't start backtracking the regular expression due to greedy matching.\n","url":"https://github.com/advisories/GHSA-952p-6rrq-rcjv"}}} -{"type":"auditAdvisory","data":{"resolution":{"id":1098615,"path":"react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/test-result>@jest/console>jest-message-util>micromatch","dev":false,"bundled":false,"optional":false},"advisory":{"findings":[{"version":"4.0.5","paths":["@testing-library/jest-dom>@types/testing-library__jest-dom>@types/jest>expect>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>tailwindcss>fast-glob>micromatch","react-scripts>react-dev-utils>globby>fast-glob>micromatch","eslint-plugin-jest>@typescript-eslint/experimental-utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/parser>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest-resolve>jest-haste-map>micromatch","react-scripts>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>@jest/reporters>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>jest-config>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>jest-snapshot>@jest/transform>jest-haste-map>micromatch"]},{"version":"4.0.5","paths":["react-scripts>babel-jest>@jest/transform>micromatch","react-scripts>jest>@jest/core>@jest/transform>micromatch","react-scripts>jest>@jest/core>@jest/reporters>@jest/transform>micromatch","react-scripts>jest>@jest/core>jest-config>babel-jest>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>babel-jest>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>jest-snapshot>@jest/transform>micromatch"]},{"version":"4.0.5","paths":["react-scripts>eslint-webpack-plugin>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>jest-message-util>micromatch","react-scripts>jest>@jest/core>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/reporters>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/reporters>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/globals>@jest/environment>@jest/fake-timers>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>jest-config>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>micromatch","react-scripts>jest>jest-cli>@jest/core>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest-watch-typeahead>jest-watcher>@jest/test-result>@jest/console>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>tailwindcss>micromatch"]},{"version":"4.0.5","paths":["http-proxy-middleware>micromatch","react-scripts>webpack-dev-server>http-proxy-middleware>micromatch"]},{"version":"4.0.7","paths":["micromatch"]}],"metadata":null,"vulnerable_versions":"<=4.0.7","module_name":"micromatch","severity":"moderate","github_advisory_id":"GHSA-952p-6rrq-rcjv","cves":["CVE-2024-4067"],"access":"public","patched_versions":"<0.0.0","cvss":{"score":0,"vectorString":null},"updated":"2024-08-21T22:59:40.000Z","recommendation":"None","cwe":["CWE-1333"],"found_by":null,"deleted":null,"id":1098615,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2024-4067\n- https://github.com/micromatch/micromatch/issues/243\n- https://github.com/micromatch/micromatch/pull/247\n- https://devhub.checkmarx.com/cve-details/CVE-2024-4067\n- https://github.com/micromatch/micromatch/blob/2c56a8604b68c1099e7bc0f807ce0865a339747a/index.js#L448\n- https://github.com/micromatch/micromatch/commit/d1641baf261e42ea437f3750c44f20cec0b33e1b\n- https://github.com/advisories/GHSA-952p-6rrq-rcjv","created":"2024-05-14T18:30:54.000Z","reported_by":null,"title":"Regular Expression Denial of Service (ReDoS) in micromatch","npm_advisory_id":null,"overview":"The NPM package `micromatch` is vulnerable to Regular Expression Denial of Service (ReDoS). The vulnerability occurs in `micromatch.braces()` in `index.js` because the pattern `.*` will greedily match anything. By passing a malicious payload, the pattern matching will keep backtracking to the input while it doesn't find the closing bracket. As the input size increases, the consumption time will also increase until it causes the application to hang or slow down. There was a merged fix but further testing shows the issue persists. This issue should be mitigated by using a safe pattern that won't start backtracking the regular expression due to greedy matching.\n","url":"https://github.com/advisories/GHSA-952p-6rrq-rcjv"}}} -{"type":"auditAdvisory","data":{"resolution":{"id":1098615,"path":"react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/globals>@jest/environment>@jest/fake-timers>jest-message-util>micromatch","dev":false,"bundled":false,"optional":false},"advisory":{"findings":[{"version":"4.0.5","paths":["@testing-library/jest-dom>@types/testing-library__jest-dom>@types/jest>expect>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>tailwindcss>fast-glob>micromatch","react-scripts>react-dev-utils>globby>fast-glob>micromatch","eslint-plugin-jest>@typescript-eslint/experimental-utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/parser>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest-resolve>jest-haste-map>micromatch","react-scripts>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>@jest/reporters>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>jest-config>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>jest-snapshot>@jest/transform>jest-haste-map>micromatch"]},{"version":"4.0.5","paths":["react-scripts>babel-jest>@jest/transform>micromatch","react-scripts>jest>@jest/core>@jest/transform>micromatch","react-scripts>jest>@jest/core>@jest/reporters>@jest/transform>micromatch","react-scripts>jest>@jest/core>jest-config>babel-jest>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>babel-jest>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>jest-snapshot>@jest/transform>micromatch"]},{"version":"4.0.5","paths":["react-scripts>eslint-webpack-plugin>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>jest-message-util>micromatch","react-scripts>jest>@jest/core>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/reporters>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/reporters>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/globals>@jest/environment>@jest/fake-timers>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>jest-config>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>micromatch","react-scripts>jest>jest-cli>@jest/core>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest-watch-typeahead>jest-watcher>@jest/test-result>@jest/console>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>tailwindcss>micromatch"]},{"version":"4.0.5","paths":["http-proxy-middleware>micromatch","react-scripts>webpack-dev-server>http-proxy-middleware>micromatch"]},{"version":"4.0.7","paths":["micromatch"]}],"metadata":null,"vulnerable_versions":"<=4.0.7","module_name":"micromatch","severity":"moderate","github_advisory_id":"GHSA-952p-6rrq-rcjv","cves":["CVE-2024-4067"],"access":"public","patched_versions":"<0.0.0","cvss":{"score":0,"vectorString":null},"updated":"2024-08-21T22:59:40.000Z","recommendation":"None","cwe":["CWE-1333"],"found_by":null,"deleted":null,"id":1098615,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2024-4067\n- https://github.com/micromatch/micromatch/issues/243\n- https://github.com/micromatch/micromatch/pull/247\n- https://devhub.checkmarx.com/cve-details/CVE-2024-4067\n- https://github.com/micromatch/micromatch/blob/2c56a8604b68c1099e7bc0f807ce0865a339747a/index.js#L448\n- https://github.com/micromatch/micromatch/commit/d1641baf261e42ea437f3750c44f20cec0b33e1b\n- https://github.com/advisories/GHSA-952p-6rrq-rcjv","created":"2024-05-14T18:30:54.000Z","reported_by":null,"title":"Regular Expression Denial of Service (ReDoS) in micromatch","npm_advisory_id":null,"overview":"The NPM package `micromatch` is vulnerable to Regular Expression Denial of Service (ReDoS). The vulnerability occurs in `micromatch.braces()` in `index.js` because the pattern `.*` will greedily match anything. By passing a malicious payload, the pattern matching will keep backtracking to the input while it doesn't find the closing bracket. As the input size increases, the consumption time will also increase until it causes the application to hang or slow down. There was a merged fix but further testing shows the issue persists. This issue should be mitigated by using a safe pattern that won't start backtracking the regular expression due to greedy matching.\n","url":"https://github.com/advisories/GHSA-952p-6rrq-rcjv"}}} -{"type":"auditAdvisory","data":{"resolution":{"id":1098615,"path":"react-scripts>jest>@jest/core>jest-config>micromatch","dev":false,"bundled":false,"optional":false},"advisory":{"findings":[{"version":"4.0.5","paths":["@testing-library/jest-dom>@types/testing-library__jest-dom>@types/jest>expect>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>tailwindcss>fast-glob>micromatch","react-scripts>react-dev-utils>globby>fast-glob>micromatch","eslint-plugin-jest>@typescript-eslint/experimental-utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/parser>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest-resolve>jest-haste-map>micromatch","react-scripts>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>@jest/reporters>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>jest-config>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>jest-snapshot>@jest/transform>jest-haste-map>micromatch"]},{"version":"4.0.5","paths":["react-scripts>babel-jest>@jest/transform>micromatch","react-scripts>jest>@jest/core>@jest/transform>micromatch","react-scripts>jest>@jest/core>@jest/reporters>@jest/transform>micromatch","react-scripts>jest>@jest/core>jest-config>babel-jest>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>babel-jest>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>jest-snapshot>@jest/transform>micromatch"]},{"version":"4.0.5","paths":["react-scripts>eslint-webpack-plugin>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>jest-message-util>micromatch","react-scripts>jest>@jest/core>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/reporters>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/reporters>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/globals>@jest/environment>@jest/fake-timers>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>jest-config>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>micromatch","react-scripts>jest>jest-cli>@jest/core>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest-watch-typeahead>jest-watcher>@jest/test-result>@jest/console>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>tailwindcss>micromatch"]},{"version":"4.0.5","paths":["http-proxy-middleware>micromatch","react-scripts>webpack-dev-server>http-proxy-middleware>micromatch"]},{"version":"4.0.7","paths":["micromatch"]}],"metadata":null,"vulnerable_versions":"<=4.0.7","module_name":"micromatch","severity":"moderate","github_advisory_id":"GHSA-952p-6rrq-rcjv","cves":["CVE-2024-4067"],"access":"public","patched_versions":"<0.0.0","cvss":{"score":0,"vectorString":null},"updated":"2024-08-21T22:59:40.000Z","recommendation":"None","cwe":["CWE-1333"],"found_by":null,"deleted":null,"id":1098615,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2024-4067\n- https://github.com/micromatch/micromatch/issues/243\n- https://github.com/micromatch/micromatch/pull/247\n- https://devhub.checkmarx.com/cve-details/CVE-2024-4067\n- https://github.com/micromatch/micromatch/blob/2c56a8604b68c1099e7bc0f807ce0865a339747a/index.js#L448\n- https://github.com/micromatch/micromatch/commit/d1641baf261e42ea437f3750c44f20cec0b33e1b\n- https://github.com/advisories/GHSA-952p-6rrq-rcjv","created":"2024-05-14T18:30:54.000Z","reported_by":null,"title":"Regular Expression Denial of Service (ReDoS) in micromatch","npm_advisory_id":null,"overview":"The NPM package `micromatch` is vulnerable to Regular Expression Denial of Service (ReDoS). The vulnerability occurs in `micromatch.braces()` in `index.js` because the pattern `.*` will greedily match anything. By passing a malicious payload, the pattern matching will keep backtracking to the input while it doesn't find the closing bracket. As the input size increases, the consumption time will also increase until it causes the application to hang or slow down. There was a merged fix but further testing shows the issue persists. This issue should be mitigated by using a safe pattern that won't start backtracking the regular expression due to greedy matching.\n","url":"https://github.com/advisories/GHSA-952p-6rrq-rcjv"}}} -{"type":"auditAdvisory","data":{"resolution":{"id":1098615,"path":"react-scripts>jest>jest-cli>@jest/core>jest-config>micromatch","dev":false,"bundled":false,"optional":false},"advisory":{"findings":[{"version":"4.0.5","paths":["@testing-library/jest-dom>@types/testing-library__jest-dom>@types/jest>expect>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>tailwindcss>fast-glob>micromatch","react-scripts>react-dev-utils>globby>fast-glob>micromatch","eslint-plugin-jest>@typescript-eslint/experimental-utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/parser>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest-resolve>jest-haste-map>micromatch","react-scripts>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>@jest/reporters>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>jest-config>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>jest-snapshot>@jest/transform>jest-haste-map>micromatch"]},{"version":"4.0.5","paths":["react-scripts>babel-jest>@jest/transform>micromatch","react-scripts>jest>@jest/core>@jest/transform>micromatch","react-scripts>jest>@jest/core>@jest/reporters>@jest/transform>micromatch","react-scripts>jest>@jest/core>jest-config>babel-jest>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>babel-jest>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>jest-snapshot>@jest/transform>micromatch"]},{"version":"4.0.5","paths":["react-scripts>eslint-webpack-plugin>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>jest-message-util>micromatch","react-scripts>jest>@jest/core>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/reporters>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/reporters>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/globals>@jest/environment>@jest/fake-timers>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>jest-config>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>micromatch","react-scripts>jest>jest-cli>@jest/core>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest-watch-typeahead>jest-watcher>@jest/test-result>@jest/console>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>tailwindcss>micromatch"]},{"version":"4.0.5","paths":["http-proxy-middleware>micromatch","react-scripts>webpack-dev-server>http-proxy-middleware>micromatch"]},{"version":"4.0.7","paths":["micromatch"]}],"metadata":null,"vulnerable_versions":"<=4.0.7","module_name":"micromatch","severity":"moderate","github_advisory_id":"GHSA-952p-6rrq-rcjv","cves":["CVE-2024-4067"],"access":"public","patched_versions":"<0.0.0","cvss":{"score":0,"vectorString":null},"updated":"2024-08-21T22:59:40.000Z","recommendation":"None","cwe":["CWE-1333"],"found_by":null,"deleted":null,"id":1098615,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2024-4067\n- https://github.com/micromatch/micromatch/issues/243\n- https://github.com/micromatch/micromatch/pull/247\n- https://devhub.checkmarx.com/cve-details/CVE-2024-4067\n- https://github.com/micromatch/micromatch/blob/2c56a8604b68c1099e7bc0f807ce0865a339747a/index.js#L448\n- https://github.com/micromatch/micromatch/commit/d1641baf261e42ea437f3750c44f20cec0b33e1b\n- https://github.com/advisories/GHSA-952p-6rrq-rcjv","created":"2024-05-14T18:30:54.000Z","reported_by":null,"title":"Regular Expression Denial of Service (ReDoS) in micromatch","npm_advisory_id":null,"overview":"The NPM package `micromatch` is vulnerable to Regular Expression Denial of Service (ReDoS). The vulnerability occurs in `micromatch.braces()` in `index.js` because the pattern `.*` will greedily match anything. By passing a malicious payload, the pattern matching will keep backtracking to the input while it doesn't find the closing bracket. As the input size increases, the consumption time will also increase until it causes the application to hang or slow down. There was a merged fix but further testing shows the issue persists. This issue should be mitigated by using a safe pattern that won't start backtracking the regular expression due to greedy matching.\n","url":"https://github.com/advisories/GHSA-952p-6rrq-rcjv"}}} -{"type":"auditAdvisory","data":{"resolution":{"id":1098615,"path":"react-scripts>jest>@jest/core>micromatch","dev":false,"bundled":false,"optional":false},"advisory":{"findings":[{"version":"4.0.5","paths":["@testing-library/jest-dom>@types/testing-library__jest-dom>@types/jest>expect>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>tailwindcss>fast-glob>micromatch","react-scripts>react-dev-utils>globby>fast-glob>micromatch","eslint-plugin-jest>@typescript-eslint/experimental-utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/parser>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest-resolve>jest-haste-map>micromatch","react-scripts>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>@jest/reporters>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>jest-config>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>jest-snapshot>@jest/transform>jest-haste-map>micromatch"]},{"version":"4.0.5","paths":["react-scripts>babel-jest>@jest/transform>micromatch","react-scripts>jest>@jest/core>@jest/transform>micromatch","react-scripts>jest>@jest/core>@jest/reporters>@jest/transform>micromatch","react-scripts>jest>@jest/core>jest-config>babel-jest>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>babel-jest>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>jest-snapshot>@jest/transform>micromatch"]},{"version":"4.0.5","paths":["react-scripts>eslint-webpack-plugin>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>jest-message-util>micromatch","react-scripts>jest>@jest/core>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/reporters>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/reporters>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/globals>@jest/environment>@jest/fake-timers>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>jest-config>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>micromatch","react-scripts>jest>jest-cli>@jest/core>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest-watch-typeahead>jest-watcher>@jest/test-result>@jest/console>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>tailwindcss>micromatch"]},{"version":"4.0.5","paths":["http-proxy-middleware>micromatch","react-scripts>webpack-dev-server>http-proxy-middleware>micromatch"]},{"version":"4.0.7","paths":["micromatch"]}],"metadata":null,"vulnerable_versions":"<=4.0.7","module_name":"micromatch","severity":"moderate","github_advisory_id":"GHSA-952p-6rrq-rcjv","cves":["CVE-2024-4067"],"access":"public","patched_versions":"<0.0.0","cvss":{"score":0,"vectorString":null},"updated":"2024-08-21T22:59:40.000Z","recommendation":"None","cwe":["CWE-1333"],"found_by":null,"deleted":null,"id":1098615,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2024-4067\n- https://github.com/micromatch/micromatch/issues/243\n- https://github.com/micromatch/micromatch/pull/247\n- https://devhub.checkmarx.com/cve-details/CVE-2024-4067\n- https://github.com/micromatch/micromatch/blob/2c56a8604b68c1099e7bc0f807ce0865a339747a/index.js#L448\n- https://github.com/micromatch/micromatch/commit/d1641baf261e42ea437f3750c44f20cec0b33e1b\n- https://github.com/advisories/GHSA-952p-6rrq-rcjv","created":"2024-05-14T18:30:54.000Z","reported_by":null,"title":"Regular Expression Denial of Service (ReDoS) in micromatch","npm_advisory_id":null,"overview":"The NPM package `micromatch` is vulnerable to Regular Expression Denial of Service (ReDoS). The vulnerability occurs in `micromatch.braces()` in `index.js` because the pattern `.*` will greedily match anything. By passing a malicious payload, the pattern matching will keep backtracking to the input while it doesn't find the closing bracket. As the input size increases, the consumption time will also increase until it causes the application to hang or slow down. There was a merged fix but further testing shows the issue persists. This issue should be mitigated by using a safe pattern that won't start backtracking the regular expression due to greedy matching.\n","url":"https://github.com/advisories/GHSA-952p-6rrq-rcjv"}}} -{"type":"auditAdvisory","data":{"resolution":{"id":1098615,"path":"react-scripts>jest>jest-cli>@jest/core>micromatch","dev":false,"bundled":false,"optional":false},"advisory":{"findings":[{"version":"4.0.5","paths":["@testing-library/jest-dom>@types/testing-library__jest-dom>@types/jest>expect>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>tailwindcss>fast-glob>micromatch","react-scripts>react-dev-utils>globby>fast-glob>micromatch","eslint-plugin-jest>@typescript-eslint/experimental-utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/parser>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest-resolve>jest-haste-map>micromatch","react-scripts>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>@jest/reporters>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>jest-config>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>jest-snapshot>@jest/transform>jest-haste-map>micromatch"]},{"version":"4.0.5","paths":["react-scripts>babel-jest>@jest/transform>micromatch","react-scripts>jest>@jest/core>@jest/transform>micromatch","react-scripts>jest>@jest/core>@jest/reporters>@jest/transform>micromatch","react-scripts>jest>@jest/core>jest-config>babel-jest>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>babel-jest>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>jest-snapshot>@jest/transform>micromatch"]},{"version":"4.0.5","paths":["react-scripts>eslint-webpack-plugin>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>jest-message-util>micromatch","react-scripts>jest>@jest/core>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/reporters>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/reporters>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/globals>@jest/environment>@jest/fake-timers>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>jest-config>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>micromatch","react-scripts>jest>jest-cli>@jest/core>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest-watch-typeahead>jest-watcher>@jest/test-result>@jest/console>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>tailwindcss>micromatch"]},{"version":"4.0.5","paths":["http-proxy-middleware>micromatch","react-scripts>webpack-dev-server>http-proxy-middleware>micromatch"]},{"version":"4.0.7","paths":["micromatch"]}],"metadata":null,"vulnerable_versions":"<=4.0.7","module_name":"micromatch","severity":"moderate","github_advisory_id":"GHSA-952p-6rrq-rcjv","cves":["CVE-2024-4067"],"access":"public","patched_versions":"<0.0.0","cvss":{"score":0,"vectorString":null},"updated":"2024-08-21T22:59:40.000Z","recommendation":"None","cwe":["CWE-1333"],"found_by":null,"deleted":null,"id":1098615,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2024-4067\n- https://github.com/micromatch/micromatch/issues/243\n- https://github.com/micromatch/micromatch/pull/247\n- https://devhub.checkmarx.com/cve-details/CVE-2024-4067\n- https://github.com/micromatch/micromatch/blob/2c56a8604b68c1099e7bc0f807ce0865a339747a/index.js#L448\n- https://github.com/micromatch/micromatch/commit/d1641baf261e42ea437f3750c44f20cec0b33e1b\n- https://github.com/advisories/GHSA-952p-6rrq-rcjv","created":"2024-05-14T18:30:54.000Z","reported_by":null,"title":"Regular Expression Denial of Service (ReDoS) in micromatch","npm_advisory_id":null,"overview":"The NPM package `micromatch` is vulnerable to Regular Expression Denial of Service (ReDoS). The vulnerability occurs in `micromatch.braces()` in `index.js` because the pattern `.*` will greedily match anything. By passing a malicious payload, the pattern matching will keep backtracking to the input while it doesn't find the closing bracket. As the input size increases, the consumption time will also increase until it causes the application to hang or slow down. There was a merged fix but further testing shows the issue persists. This issue should be mitigated by using a safe pattern that won't start backtracking the regular expression due to greedy matching.\n","url":"https://github.com/advisories/GHSA-952p-6rrq-rcjv"}}} -{"type":"auditAdvisory","data":{"resolution":{"id":1098615,"path":"react-scripts>jest-watch-typeahead>jest-watcher>@jest/test-result>@jest/console>jest-message-util>micromatch","dev":false,"bundled":false,"optional":false},"advisory":{"findings":[{"version":"4.0.5","paths":["@testing-library/jest-dom>@types/testing-library__jest-dom>@types/jest>expect>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>tailwindcss>fast-glob>micromatch","react-scripts>react-dev-utils>globby>fast-glob>micromatch","eslint-plugin-jest>@typescript-eslint/experimental-utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/parser>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest-resolve>jest-haste-map>micromatch","react-scripts>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>@jest/reporters>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>jest-config>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>jest-snapshot>@jest/transform>jest-haste-map>micromatch"]},{"version":"4.0.5","paths":["react-scripts>babel-jest>@jest/transform>micromatch","react-scripts>jest>@jest/core>@jest/transform>micromatch","react-scripts>jest>@jest/core>@jest/reporters>@jest/transform>micromatch","react-scripts>jest>@jest/core>jest-config>babel-jest>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>babel-jest>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>jest-snapshot>@jest/transform>micromatch"]},{"version":"4.0.5","paths":["react-scripts>eslint-webpack-plugin>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>jest-message-util>micromatch","react-scripts>jest>@jest/core>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/reporters>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/reporters>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/globals>@jest/environment>@jest/fake-timers>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>jest-config>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>micromatch","react-scripts>jest>jest-cli>@jest/core>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest-watch-typeahead>jest-watcher>@jest/test-result>@jest/console>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>tailwindcss>micromatch"]},{"version":"4.0.5","paths":["http-proxy-middleware>micromatch","react-scripts>webpack-dev-server>http-proxy-middleware>micromatch"]},{"version":"4.0.7","paths":["micromatch"]}],"metadata":null,"vulnerable_versions":"<=4.0.7","module_name":"micromatch","severity":"moderate","github_advisory_id":"GHSA-952p-6rrq-rcjv","cves":["CVE-2024-4067"],"access":"public","patched_versions":"<0.0.0","cvss":{"score":0,"vectorString":null},"updated":"2024-08-21T22:59:40.000Z","recommendation":"None","cwe":["CWE-1333"],"found_by":null,"deleted":null,"id":1098615,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2024-4067\n- https://github.com/micromatch/micromatch/issues/243\n- https://github.com/micromatch/micromatch/pull/247\n- https://devhub.checkmarx.com/cve-details/CVE-2024-4067\n- https://github.com/micromatch/micromatch/blob/2c56a8604b68c1099e7bc0f807ce0865a339747a/index.js#L448\n- https://github.com/micromatch/micromatch/commit/d1641baf261e42ea437f3750c44f20cec0b33e1b\n- https://github.com/advisories/GHSA-952p-6rrq-rcjv","created":"2024-05-14T18:30:54.000Z","reported_by":null,"title":"Regular Expression Denial of Service (ReDoS) in micromatch","npm_advisory_id":null,"overview":"The NPM package `micromatch` is vulnerable to Regular Expression Denial of Service (ReDoS). The vulnerability occurs in `micromatch.braces()` in `index.js` because the pattern `.*` will greedily match anything. By passing a malicious payload, the pattern matching will keep backtracking to the input while it doesn't find the closing bracket. As the input size increases, the consumption time will also increase until it causes the application to hang or slow down. There was a merged fix but further testing shows the issue persists. This issue should be mitigated by using a safe pattern that won't start backtracking the regular expression due to greedy matching.\n","url":"https://github.com/advisories/GHSA-952p-6rrq-rcjv"}}} -{"type":"auditAdvisory","data":{"resolution":{"id":1098615,"path":"react-scripts>tailwindcss>micromatch","dev":false,"bundled":false,"optional":false},"advisory":{"findings":[{"version":"4.0.5","paths":["@testing-library/jest-dom>@types/testing-library__jest-dom>@types/jest>expect>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>tailwindcss>fast-glob>micromatch","react-scripts>react-dev-utils>globby>fast-glob>micromatch","eslint-plugin-jest>@typescript-eslint/experimental-utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/parser>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest-resolve>jest-haste-map>micromatch","react-scripts>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>@jest/reporters>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>jest-config>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>jest-snapshot>@jest/transform>jest-haste-map>micromatch"]},{"version":"4.0.5","paths":["react-scripts>babel-jest>@jest/transform>micromatch","react-scripts>jest>@jest/core>@jest/transform>micromatch","react-scripts>jest>@jest/core>@jest/reporters>@jest/transform>micromatch","react-scripts>jest>@jest/core>jest-config>babel-jest>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>babel-jest>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>jest-snapshot>@jest/transform>micromatch"]},{"version":"4.0.5","paths":["react-scripts>eslint-webpack-plugin>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>jest-message-util>micromatch","react-scripts>jest>@jest/core>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/reporters>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/reporters>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/globals>@jest/environment>@jest/fake-timers>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>jest-config>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>micromatch","react-scripts>jest>jest-cli>@jest/core>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest-watch-typeahead>jest-watcher>@jest/test-result>@jest/console>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>tailwindcss>micromatch"]},{"version":"4.0.5","paths":["http-proxy-middleware>micromatch","react-scripts>webpack-dev-server>http-proxy-middleware>micromatch"]},{"version":"4.0.7","paths":["micromatch"]}],"metadata":null,"vulnerable_versions":"<=4.0.7","module_name":"micromatch","severity":"moderate","github_advisory_id":"GHSA-952p-6rrq-rcjv","cves":["CVE-2024-4067"],"access":"public","patched_versions":"<0.0.0","cvss":{"score":0,"vectorString":null},"updated":"2024-08-21T22:59:40.000Z","recommendation":"None","cwe":["CWE-1333"],"found_by":null,"deleted":null,"id":1098615,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2024-4067\n- https://github.com/micromatch/micromatch/issues/243\n- https://github.com/micromatch/micromatch/pull/247\n- https://devhub.checkmarx.com/cve-details/CVE-2024-4067\n- https://github.com/micromatch/micromatch/blob/2c56a8604b68c1099e7bc0f807ce0865a339747a/index.js#L448\n- https://github.com/micromatch/micromatch/commit/d1641baf261e42ea437f3750c44f20cec0b33e1b\n- https://github.com/advisories/GHSA-952p-6rrq-rcjv","created":"2024-05-14T18:30:54.000Z","reported_by":null,"title":"Regular Expression Denial of Service (ReDoS) in micromatch","npm_advisory_id":null,"overview":"The NPM package `micromatch` is vulnerable to Regular Expression Denial of Service (ReDoS). The vulnerability occurs in `micromatch.braces()` in `index.js` because the pattern `.*` will greedily match anything. By passing a malicious payload, the pattern matching will keep backtracking to the input while it doesn't find the closing bracket. As the input size increases, the consumption time will also increase until it causes the application to hang or slow down. There was a merged fix but further testing shows the issue persists. This issue should be mitigated by using a safe pattern that won't start backtracking the regular expression due to greedy matching.\n","url":"https://github.com/advisories/GHSA-952p-6rrq-rcjv"}}} -{"type":"auditAdvisory","data":{"resolution":{"id":1098615,"path":"http-proxy-middleware>micromatch","dev":false,"bundled":false,"optional":false},"advisory":{"findings":[{"version":"4.0.5","paths":["@testing-library/jest-dom>@types/testing-library__jest-dom>@types/jest>expect>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>tailwindcss>fast-glob>micromatch","react-scripts>react-dev-utils>globby>fast-glob>micromatch","eslint-plugin-jest>@typescript-eslint/experimental-utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/parser>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest-resolve>jest-haste-map>micromatch","react-scripts>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>@jest/reporters>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>jest-config>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>jest-snapshot>@jest/transform>jest-haste-map>micromatch"]},{"version":"4.0.5","paths":["react-scripts>babel-jest>@jest/transform>micromatch","react-scripts>jest>@jest/core>@jest/transform>micromatch","react-scripts>jest>@jest/core>@jest/reporters>@jest/transform>micromatch","react-scripts>jest>@jest/core>jest-config>babel-jest>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>babel-jest>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>jest-snapshot>@jest/transform>micromatch"]},{"version":"4.0.5","paths":["react-scripts>eslint-webpack-plugin>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>jest-message-util>micromatch","react-scripts>jest>@jest/core>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/reporters>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/reporters>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/globals>@jest/environment>@jest/fake-timers>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>jest-config>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>micromatch","react-scripts>jest>jest-cli>@jest/core>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest-watch-typeahead>jest-watcher>@jest/test-result>@jest/console>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>tailwindcss>micromatch"]},{"version":"4.0.5","paths":["http-proxy-middleware>micromatch","react-scripts>webpack-dev-server>http-proxy-middleware>micromatch"]},{"version":"4.0.7","paths":["micromatch"]}],"metadata":null,"vulnerable_versions":"<=4.0.7","module_name":"micromatch","severity":"moderate","github_advisory_id":"GHSA-952p-6rrq-rcjv","cves":["CVE-2024-4067"],"access":"public","patched_versions":"<0.0.0","cvss":{"score":0,"vectorString":null},"updated":"2024-08-21T22:59:40.000Z","recommendation":"None","cwe":["CWE-1333"],"found_by":null,"deleted":null,"id":1098615,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2024-4067\n- https://github.com/micromatch/micromatch/issues/243\n- https://github.com/micromatch/micromatch/pull/247\n- https://devhub.checkmarx.com/cve-details/CVE-2024-4067\n- https://github.com/micromatch/micromatch/blob/2c56a8604b68c1099e7bc0f807ce0865a339747a/index.js#L448\n- https://github.com/micromatch/micromatch/commit/d1641baf261e42ea437f3750c44f20cec0b33e1b\n- https://github.com/advisories/GHSA-952p-6rrq-rcjv","created":"2024-05-14T18:30:54.000Z","reported_by":null,"title":"Regular Expression Denial of Service (ReDoS) in micromatch","npm_advisory_id":null,"overview":"The NPM package `micromatch` is vulnerable to Regular Expression Denial of Service (ReDoS). The vulnerability occurs in `micromatch.braces()` in `index.js` because the pattern `.*` will greedily match anything. By passing a malicious payload, the pattern matching will keep backtracking to the input while it doesn't find the closing bracket. As the input size increases, the consumption time will also increase until it causes the application to hang or slow down. There was a merged fix but further testing shows the issue persists. This issue should be mitigated by using a safe pattern that won't start backtracking the regular expression due to greedy matching.\n","url":"https://github.com/advisories/GHSA-952p-6rrq-rcjv"}}} -{"type":"auditAdvisory","data":{"resolution":{"id":1098615,"path":"react-scripts>webpack-dev-server>http-proxy-middleware>micromatch","dev":false,"bundled":false,"optional":false},"advisory":{"findings":[{"version":"4.0.5","paths":["@testing-library/jest-dom>@types/testing-library__jest-dom>@types/jest>expect>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>tailwindcss>fast-glob>micromatch","react-scripts>react-dev-utils>globby>fast-glob>micromatch","eslint-plugin-jest>@typescript-eslint/experimental-utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/parser>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest-resolve>jest-haste-map>micromatch","react-scripts>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>@jest/reporters>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>jest-config>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>jest-snapshot>@jest/transform>jest-haste-map>micromatch"]},{"version":"4.0.5","paths":["react-scripts>babel-jest>@jest/transform>micromatch","react-scripts>jest>@jest/core>@jest/transform>micromatch","react-scripts>jest>@jest/core>@jest/reporters>@jest/transform>micromatch","react-scripts>jest>@jest/core>jest-config>babel-jest>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>babel-jest>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>jest-snapshot>@jest/transform>micromatch"]},{"version":"4.0.5","paths":["react-scripts>eslint-webpack-plugin>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>jest-message-util>micromatch","react-scripts>jest>@jest/core>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/reporters>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/reporters>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/globals>@jest/environment>@jest/fake-timers>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>jest-config>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>micromatch","react-scripts>jest>jest-cli>@jest/core>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest-watch-typeahead>jest-watcher>@jest/test-result>@jest/console>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>tailwindcss>micromatch"]},{"version":"4.0.5","paths":["http-proxy-middleware>micromatch","react-scripts>webpack-dev-server>http-proxy-middleware>micromatch"]},{"version":"4.0.7","paths":["micromatch"]}],"metadata":null,"vulnerable_versions":"<=4.0.7","module_name":"micromatch","severity":"moderate","github_advisory_id":"GHSA-952p-6rrq-rcjv","cves":["CVE-2024-4067"],"access":"public","patched_versions":"<0.0.0","cvss":{"score":0,"vectorString":null},"updated":"2024-08-21T22:59:40.000Z","recommendation":"None","cwe":["CWE-1333"],"found_by":null,"deleted":null,"id":1098615,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2024-4067\n- https://github.com/micromatch/micromatch/issues/243\n- https://github.com/micromatch/micromatch/pull/247\n- https://devhub.checkmarx.com/cve-details/CVE-2024-4067\n- https://github.com/micromatch/micromatch/blob/2c56a8604b68c1099e7bc0f807ce0865a339747a/index.js#L448\n- https://github.com/micromatch/micromatch/commit/d1641baf261e42ea437f3750c44f20cec0b33e1b\n- https://github.com/advisories/GHSA-952p-6rrq-rcjv","created":"2024-05-14T18:30:54.000Z","reported_by":null,"title":"Regular Expression Denial of Service (ReDoS) in micromatch","npm_advisory_id":null,"overview":"The NPM package `micromatch` is vulnerable to Regular Expression Denial of Service (ReDoS). The vulnerability occurs in `micromatch.braces()` in `index.js` because the pattern `.*` will greedily match anything. By passing a malicious payload, the pattern matching will keep backtracking to the input while it doesn't find the closing bracket. As the input size increases, the consumption time will also increase until it causes the application to hang or slow down. There was a merged fix but further testing shows the issue persists. This issue should be mitigated by using a safe pattern that won't start backtracking the regular expression due to greedy matching.\n","url":"https://github.com/advisories/GHSA-952p-6rrq-rcjv"}}} -{"type":"auditAdvisory","data":{"resolution":{"id":1098615,"path":"micromatch","dev":false,"bundled":false,"optional":false},"advisory":{"findings":[{"version":"4.0.5","paths":["@testing-library/jest-dom>@types/testing-library__jest-dom>@types/jest>expect>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>tailwindcss>fast-glob>micromatch","react-scripts>react-dev-utils>globby>fast-glob>micromatch","eslint-plugin-jest>@typescript-eslint/experimental-utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/parser>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest-resolve>jest-haste-map>micromatch","react-scripts>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>@jest/reporters>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>jest-config>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>jest-snapshot>@jest/transform>jest-haste-map>micromatch"]},{"version":"4.0.5","paths":["react-scripts>babel-jest>@jest/transform>micromatch","react-scripts>jest>@jest/core>@jest/transform>micromatch","react-scripts>jest>@jest/core>@jest/reporters>@jest/transform>micromatch","react-scripts>jest>@jest/core>jest-config>babel-jest>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>babel-jest>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>jest-snapshot>@jest/transform>micromatch"]},{"version":"4.0.5","paths":["react-scripts>eslint-webpack-plugin>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>jest-message-util>micromatch","react-scripts>jest>@jest/core>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/reporters>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/reporters>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/globals>@jest/environment>@jest/fake-timers>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>jest-config>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>micromatch","react-scripts>jest>jest-cli>@jest/core>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest-watch-typeahead>jest-watcher>@jest/test-result>@jest/console>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>tailwindcss>micromatch"]},{"version":"4.0.5","paths":["http-proxy-middleware>micromatch","react-scripts>webpack-dev-server>http-proxy-middleware>micromatch"]},{"version":"4.0.7","paths":["micromatch"]}],"metadata":null,"vulnerable_versions":"<=4.0.7","module_name":"micromatch","severity":"moderate","github_advisory_id":"GHSA-952p-6rrq-rcjv","cves":["CVE-2024-4067"],"access":"public","patched_versions":"<0.0.0","cvss":{"score":0,"vectorString":null},"updated":"2024-08-21T22:59:40.000Z","recommendation":"None","cwe":["CWE-1333"],"found_by":null,"deleted":null,"id":1098615,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2024-4067\n- https://github.com/micromatch/micromatch/issues/243\n- https://github.com/micromatch/micromatch/pull/247\n- https://devhub.checkmarx.com/cve-details/CVE-2024-4067\n- https://github.com/micromatch/micromatch/blob/2c56a8604b68c1099e7bc0f807ce0865a339747a/index.js#L448\n- https://github.com/micromatch/micromatch/commit/d1641baf261e42ea437f3750c44f20cec0b33e1b\n- https://github.com/advisories/GHSA-952p-6rrq-rcjv","created":"2024-05-14T18:30:54.000Z","reported_by":null,"title":"Regular Expression Denial of Service (ReDoS) in micromatch","npm_advisory_id":null,"overview":"The NPM package `micromatch` is vulnerable to Regular Expression Denial of Service (ReDoS). The vulnerability occurs in `micromatch.braces()` in `index.js` because the pattern `.*` will greedily match anything. By passing a malicious payload, the pattern matching will keep backtracking to the input while it doesn't find the closing bracket. As the input size increases, the consumption time will also increase until it causes the application to hang or slow down. There was a merged fix but further testing shows the issue persists. This issue should be mitigated by using a safe pattern that won't start backtracking the regular expression due to greedy matching.\n","url":"https://github.com/advisories/GHSA-952p-6rrq-rcjv"}}} +{"type":"auditAdvisory","data":{"resolution":{"id":1098618,"path":"@testing-library/jest-dom>@types/testing-library__jest-dom>@types/jest>expect>jest-message-util>micromatch","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"4.0.5","paths":["@testing-library/jest-dom>@types/testing-library__jest-dom>@types/jest>expect>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>tailwindcss>fast-glob>micromatch","react-scripts>react-dev-utils>globby>fast-glob>micromatch","eslint-plugin-jest>@typescript-eslint/experimental-utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/parser>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest-resolve>jest-haste-map>micromatch","react-scripts>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>@jest/reporters>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>jest-config>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>jest-snapshot>@jest/transform>jest-haste-map>micromatch"]},{"version":"4.0.5","paths":["react-scripts>babel-jest>@jest/transform>micromatch","react-scripts>jest>@jest/core>@jest/transform>micromatch","react-scripts>jest>@jest/core>@jest/reporters>@jest/transform>micromatch","react-scripts>jest>@jest/core>jest-config>babel-jest>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>babel-jest>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>jest-snapshot>@jest/transform>micromatch"]},{"version":"4.0.5","paths":["react-scripts>eslint-webpack-plugin>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>jest-message-util>micromatch","react-scripts>jest>@jest/core>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/reporters>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/reporters>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/globals>@jest/environment>@jest/fake-timers>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>jest-config>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>micromatch","react-scripts>jest>jest-cli>@jest/core>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest-watch-typeahead>jest-watcher>@jest/test-result>@jest/console>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>tailwindcss>micromatch"]},{"version":"4.0.5","paths":["http-proxy-middleware>micromatch","react-scripts>webpack-dev-server>http-proxy-middleware>micromatch"]},{"version":"4.0.7","paths":["micromatch"]}],"metadata":null,"vulnerable_versions":"<4.0.8","module_name":"micromatch","severity":"moderate","github_advisory_id":"GHSA-952p-6rrq-rcjv","cves":["CVE-2024-4067"],"access":"public","patched_versions":">=4.0.8","cvss":{"score":0,"vectorString":null},"updated":"2024-08-23T17:27:31.000Z","recommendation":"Upgrade to version 4.0.8 or later","cwe":["CWE-1333"],"found_by":null,"deleted":null,"id":1098618,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2024-4067\n- https://github.com/micromatch/micromatch/issues/243\n- https://github.com/micromatch/micromatch/pull/247\n- https://devhub.checkmarx.com/cve-details/CVE-2024-4067\n- https://github.com/micromatch/micromatch/blob/2c56a8604b68c1099e7bc0f807ce0865a339747a/index.js#L448\n- https://github.com/micromatch/micromatch/commit/500d5d6f42f0e8dfa1cb5464c6cb420b1b6aaaa0\n- https://github.com/advisories/GHSA-952p-6rrq-rcjv","created":"2024-05-14T18:30:54.000Z","reported_by":null,"title":"Regular Expression Denial of Service (ReDoS) in micromatch","npm_advisory_id":null,"overview":"The NPM package `micromatch` is vulnerable to Regular Expression Denial of Service (ReDoS). The vulnerability occurs in `micromatch.braces()` in `index.js` because the pattern `.*` will greedily match anything. By passing a malicious payload, the pattern matching will keep backtracking to the input while it doesn't find the closing bracket. As the input size increases, the consumption time will also increase until it causes the application to hang or slow down. There was a merged fix but further testing shows the issue persists. This issue should be mitigated by using a safe pattern that won't start backtracking the regular expression due to greedy matching.\n","url":"https://github.com/advisories/GHSA-952p-6rrq-rcjv"}}} +{"type":"auditAdvisory","data":{"resolution":{"id":1098618,"path":"react-scripts>tailwindcss>fast-glob>micromatch","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"4.0.5","paths":["@testing-library/jest-dom>@types/testing-library__jest-dom>@types/jest>expect>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>tailwindcss>fast-glob>micromatch","react-scripts>react-dev-utils>globby>fast-glob>micromatch","eslint-plugin-jest>@typescript-eslint/experimental-utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/parser>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest-resolve>jest-haste-map>micromatch","react-scripts>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>@jest/reporters>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>jest-config>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>jest-snapshot>@jest/transform>jest-haste-map>micromatch"]},{"version":"4.0.5","paths":["react-scripts>babel-jest>@jest/transform>micromatch","react-scripts>jest>@jest/core>@jest/transform>micromatch","react-scripts>jest>@jest/core>@jest/reporters>@jest/transform>micromatch","react-scripts>jest>@jest/core>jest-config>babel-jest>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>babel-jest>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>jest-snapshot>@jest/transform>micromatch"]},{"version":"4.0.5","paths":["react-scripts>eslint-webpack-plugin>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>jest-message-util>micromatch","react-scripts>jest>@jest/core>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/reporters>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/reporters>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/globals>@jest/environment>@jest/fake-timers>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>jest-config>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>micromatch","react-scripts>jest>jest-cli>@jest/core>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest-watch-typeahead>jest-watcher>@jest/test-result>@jest/console>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>tailwindcss>micromatch"]},{"version":"4.0.5","paths":["http-proxy-middleware>micromatch","react-scripts>webpack-dev-server>http-proxy-middleware>micromatch"]},{"version":"4.0.7","paths":["micromatch"]}],"metadata":null,"vulnerable_versions":"<4.0.8","module_name":"micromatch","severity":"moderate","github_advisory_id":"GHSA-952p-6rrq-rcjv","cves":["CVE-2024-4067"],"access":"public","patched_versions":">=4.0.8","cvss":{"score":0,"vectorString":null},"updated":"2024-08-23T17:27:31.000Z","recommendation":"Upgrade to version 4.0.8 or later","cwe":["CWE-1333"],"found_by":null,"deleted":null,"id":1098618,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2024-4067\n- https://github.com/micromatch/micromatch/issues/243\n- https://github.com/micromatch/micromatch/pull/247\n- https://devhub.checkmarx.com/cve-details/CVE-2024-4067\n- https://github.com/micromatch/micromatch/blob/2c56a8604b68c1099e7bc0f807ce0865a339747a/index.js#L448\n- https://github.com/micromatch/micromatch/commit/500d5d6f42f0e8dfa1cb5464c6cb420b1b6aaaa0\n- https://github.com/advisories/GHSA-952p-6rrq-rcjv","created":"2024-05-14T18:30:54.000Z","reported_by":null,"title":"Regular Expression Denial of Service (ReDoS) in micromatch","npm_advisory_id":null,"overview":"The NPM package `micromatch` is vulnerable to Regular Expression Denial of Service (ReDoS). The vulnerability occurs in `micromatch.braces()` in `index.js` because the pattern `.*` will greedily match anything. By passing a malicious payload, the pattern matching will keep backtracking to the input while it doesn't find the closing bracket. As the input size increases, the consumption time will also increase until it causes the application to hang or slow down. There was a merged fix but further testing shows the issue persists. This issue should be mitigated by using a safe pattern that won't start backtracking the regular expression due to greedy matching.\n","url":"https://github.com/advisories/GHSA-952p-6rrq-rcjv"}}} +{"type":"auditAdvisory","data":{"resolution":{"id":1098618,"path":"react-scripts>react-dev-utils>globby>fast-glob>micromatch","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"4.0.5","paths":["@testing-library/jest-dom>@types/testing-library__jest-dom>@types/jest>expect>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>tailwindcss>fast-glob>micromatch","react-scripts>react-dev-utils>globby>fast-glob>micromatch","eslint-plugin-jest>@typescript-eslint/experimental-utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/parser>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest-resolve>jest-haste-map>micromatch","react-scripts>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>@jest/reporters>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>jest-config>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>jest-snapshot>@jest/transform>jest-haste-map>micromatch"]},{"version":"4.0.5","paths":["react-scripts>babel-jest>@jest/transform>micromatch","react-scripts>jest>@jest/core>@jest/transform>micromatch","react-scripts>jest>@jest/core>@jest/reporters>@jest/transform>micromatch","react-scripts>jest>@jest/core>jest-config>babel-jest>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>babel-jest>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>jest-snapshot>@jest/transform>micromatch"]},{"version":"4.0.5","paths":["react-scripts>eslint-webpack-plugin>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>jest-message-util>micromatch","react-scripts>jest>@jest/core>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/reporters>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/reporters>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/globals>@jest/environment>@jest/fake-timers>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>jest-config>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>micromatch","react-scripts>jest>jest-cli>@jest/core>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest-watch-typeahead>jest-watcher>@jest/test-result>@jest/console>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>tailwindcss>micromatch"]},{"version":"4.0.5","paths":["http-proxy-middleware>micromatch","react-scripts>webpack-dev-server>http-proxy-middleware>micromatch"]},{"version":"4.0.7","paths":["micromatch"]}],"metadata":null,"vulnerable_versions":"<4.0.8","module_name":"micromatch","severity":"moderate","github_advisory_id":"GHSA-952p-6rrq-rcjv","cves":["CVE-2024-4067"],"access":"public","patched_versions":">=4.0.8","cvss":{"score":0,"vectorString":null},"updated":"2024-08-23T17:27:31.000Z","recommendation":"Upgrade to version 4.0.8 or later","cwe":["CWE-1333"],"found_by":null,"deleted":null,"id":1098618,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2024-4067\n- https://github.com/micromatch/micromatch/issues/243\n- https://github.com/micromatch/micromatch/pull/247\n- https://devhub.checkmarx.com/cve-details/CVE-2024-4067\n- https://github.com/micromatch/micromatch/blob/2c56a8604b68c1099e7bc0f807ce0865a339747a/index.js#L448\n- https://github.com/micromatch/micromatch/commit/500d5d6f42f0e8dfa1cb5464c6cb420b1b6aaaa0\n- https://github.com/advisories/GHSA-952p-6rrq-rcjv","created":"2024-05-14T18:30:54.000Z","reported_by":null,"title":"Regular Expression Denial of Service (ReDoS) in micromatch","npm_advisory_id":null,"overview":"The NPM package `micromatch` is vulnerable to Regular Expression Denial of Service (ReDoS). The vulnerability occurs in `micromatch.braces()` in `index.js` because the pattern `.*` will greedily match anything. By passing a malicious payload, the pattern matching will keep backtracking to the input while it doesn't find the closing bracket. As the input size increases, the consumption time will also increase until it causes the application to hang or slow down. There was a merged fix but further testing shows the issue persists. This issue should be mitigated by using a safe pattern that won't start backtracking the regular expression due to greedy matching.\n","url":"https://github.com/advisories/GHSA-952p-6rrq-rcjv"}}} +{"type":"auditAdvisory","data":{"resolution":{"id":1098618,"path":"eslint-plugin-jest>@typescript-eslint/experimental-utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"4.0.5","paths":["@testing-library/jest-dom>@types/testing-library__jest-dom>@types/jest>expect>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>tailwindcss>fast-glob>micromatch","react-scripts>react-dev-utils>globby>fast-glob>micromatch","eslint-plugin-jest>@typescript-eslint/experimental-utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/parser>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest-resolve>jest-haste-map>micromatch","react-scripts>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>@jest/reporters>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>jest-config>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>jest-snapshot>@jest/transform>jest-haste-map>micromatch"]},{"version":"4.0.5","paths":["react-scripts>babel-jest>@jest/transform>micromatch","react-scripts>jest>@jest/core>@jest/transform>micromatch","react-scripts>jest>@jest/core>@jest/reporters>@jest/transform>micromatch","react-scripts>jest>@jest/core>jest-config>babel-jest>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>babel-jest>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>jest-snapshot>@jest/transform>micromatch"]},{"version":"4.0.5","paths":["react-scripts>eslint-webpack-plugin>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>jest-message-util>micromatch","react-scripts>jest>@jest/core>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/reporters>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/reporters>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/globals>@jest/environment>@jest/fake-timers>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>jest-config>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>micromatch","react-scripts>jest>jest-cli>@jest/core>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest-watch-typeahead>jest-watcher>@jest/test-result>@jest/console>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>tailwindcss>micromatch"]},{"version":"4.0.5","paths":["http-proxy-middleware>micromatch","react-scripts>webpack-dev-server>http-proxy-middleware>micromatch"]},{"version":"4.0.7","paths":["micromatch"]}],"metadata":null,"vulnerable_versions":"<4.0.8","module_name":"micromatch","severity":"moderate","github_advisory_id":"GHSA-952p-6rrq-rcjv","cves":["CVE-2024-4067"],"access":"public","patched_versions":">=4.0.8","cvss":{"score":0,"vectorString":null},"updated":"2024-08-23T17:27:31.000Z","recommendation":"Upgrade to version 4.0.8 or later","cwe":["CWE-1333"],"found_by":null,"deleted":null,"id":1098618,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2024-4067\n- https://github.com/micromatch/micromatch/issues/243\n- https://github.com/micromatch/micromatch/pull/247\n- https://devhub.checkmarx.com/cve-details/CVE-2024-4067\n- https://github.com/micromatch/micromatch/blob/2c56a8604b68c1099e7bc0f807ce0865a339747a/index.js#L448\n- https://github.com/micromatch/micromatch/commit/500d5d6f42f0e8dfa1cb5464c6cb420b1b6aaaa0\n- https://github.com/advisories/GHSA-952p-6rrq-rcjv","created":"2024-05-14T18:30:54.000Z","reported_by":null,"title":"Regular Expression Denial of Service (ReDoS) in micromatch","npm_advisory_id":null,"overview":"The NPM package `micromatch` is vulnerable to Regular Expression Denial of Service (ReDoS). The vulnerability occurs in `micromatch.braces()` in `index.js` because the pattern `.*` will greedily match anything. By passing a malicious payload, the pattern matching will keep backtracking to the input while it doesn't find the closing bracket. As the input size increases, the consumption time will also increase until it causes the application to hang or slow down. There was a merged fix but further testing shows the issue persists. This issue should be mitigated by using a safe pattern that won't start backtracking the regular expression due to greedy matching.\n","url":"https://github.com/advisories/GHSA-952p-6rrq-rcjv"}}} +{"type":"auditAdvisory","data":{"resolution":{"id":1098618,"path":"react-scripts>eslint-config-react-app>@typescript-eslint/parser>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"4.0.5","paths":["@testing-library/jest-dom>@types/testing-library__jest-dom>@types/jest>expect>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>tailwindcss>fast-glob>micromatch","react-scripts>react-dev-utils>globby>fast-glob>micromatch","eslint-plugin-jest>@typescript-eslint/experimental-utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/parser>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest-resolve>jest-haste-map>micromatch","react-scripts>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>@jest/reporters>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>jest-config>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>jest-snapshot>@jest/transform>jest-haste-map>micromatch"]},{"version":"4.0.5","paths":["react-scripts>babel-jest>@jest/transform>micromatch","react-scripts>jest>@jest/core>@jest/transform>micromatch","react-scripts>jest>@jest/core>@jest/reporters>@jest/transform>micromatch","react-scripts>jest>@jest/core>jest-config>babel-jest>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>babel-jest>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>jest-snapshot>@jest/transform>micromatch"]},{"version":"4.0.5","paths":["react-scripts>eslint-webpack-plugin>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>jest-message-util>micromatch","react-scripts>jest>@jest/core>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/reporters>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/reporters>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/globals>@jest/environment>@jest/fake-timers>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>jest-config>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>micromatch","react-scripts>jest>jest-cli>@jest/core>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest-watch-typeahead>jest-watcher>@jest/test-result>@jest/console>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>tailwindcss>micromatch"]},{"version":"4.0.5","paths":["http-proxy-middleware>micromatch","react-scripts>webpack-dev-server>http-proxy-middleware>micromatch"]},{"version":"4.0.7","paths":["micromatch"]}],"metadata":null,"vulnerable_versions":"<4.0.8","module_name":"micromatch","severity":"moderate","github_advisory_id":"GHSA-952p-6rrq-rcjv","cves":["CVE-2024-4067"],"access":"public","patched_versions":">=4.0.8","cvss":{"score":0,"vectorString":null},"updated":"2024-08-23T17:27:31.000Z","recommendation":"Upgrade to version 4.0.8 or later","cwe":["CWE-1333"],"found_by":null,"deleted":null,"id":1098618,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2024-4067\n- https://github.com/micromatch/micromatch/issues/243\n- https://github.com/micromatch/micromatch/pull/247\n- https://devhub.checkmarx.com/cve-details/CVE-2024-4067\n- https://github.com/micromatch/micromatch/blob/2c56a8604b68c1099e7bc0f807ce0865a339747a/index.js#L448\n- https://github.com/micromatch/micromatch/commit/500d5d6f42f0e8dfa1cb5464c6cb420b1b6aaaa0\n- https://github.com/advisories/GHSA-952p-6rrq-rcjv","created":"2024-05-14T18:30:54.000Z","reported_by":null,"title":"Regular Expression Denial of Service (ReDoS) in micromatch","npm_advisory_id":null,"overview":"The NPM package `micromatch` is vulnerable to Regular Expression Denial of Service (ReDoS). The vulnerability occurs in `micromatch.braces()` in `index.js` because the pattern `.*` will greedily match anything. By passing a malicious payload, the pattern matching will keep backtracking to the input while it doesn't find the closing bracket. As the input size increases, the consumption time will also increase until it causes the application to hang or slow down. There was a merged fix but further testing shows the issue persists. This issue should be mitigated by using a safe pattern that won't start backtracking the regular expression due to greedy matching.\n","url":"https://github.com/advisories/GHSA-952p-6rrq-rcjv"}}} +{"type":"auditAdvisory","data":{"resolution":{"id":1098618,"path":"react-scripts>eslint-config-react-app>@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"4.0.5","paths":["@testing-library/jest-dom>@types/testing-library__jest-dom>@types/jest>expect>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>tailwindcss>fast-glob>micromatch","react-scripts>react-dev-utils>globby>fast-glob>micromatch","eslint-plugin-jest>@typescript-eslint/experimental-utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/parser>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest-resolve>jest-haste-map>micromatch","react-scripts>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>@jest/reporters>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>jest-config>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>jest-snapshot>@jest/transform>jest-haste-map>micromatch"]},{"version":"4.0.5","paths":["react-scripts>babel-jest>@jest/transform>micromatch","react-scripts>jest>@jest/core>@jest/transform>micromatch","react-scripts>jest>@jest/core>@jest/reporters>@jest/transform>micromatch","react-scripts>jest>@jest/core>jest-config>babel-jest>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>babel-jest>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>jest-snapshot>@jest/transform>micromatch"]},{"version":"4.0.5","paths":["react-scripts>eslint-webpack-plugin>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>jest-message-util>micromatch","react-scripts>jest>@jest/core>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/reporters>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/reporters>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/globals>@jest/environment>@jest/fake-timers>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>jest-config>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>micromatch","react-scripts>jest>jest-cli>@jest/core>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest-watch-typeahead>jest-watcher>@jest/test-result>@jest/console>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>tailwindcss>micromatch"]},{"version":"4.0.5","paths":["http-proxy-middleware>micromatch","react-scripts>webpack-dev-server>http-proxy-middleware>micromatch"]},{"version":"4.0.7","paths":["micromatch"]}],"metadata":null,"vulnerable_versions":"<4.0.8","module_name":"micromatch","severity":"moderate","github_advisory_id":"GHSA-952p-6rrq-rcjv","cves":["CVE-2024-4067"],"access":"public","patched_versions":">=4.0.8","cvss":{"score":0,"vectorString":null},"updated":"2024-08-23T17:27:31.000Z","recommendation":"Upgrade to version 4.0.8 or later","cwe":["CWE-1333"],"found_by":null,"deleted":null,"id":1098618,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2024-4067\n- https://github.com/micromatch/micromatch/issues/243\n- https://github.com/micromatch/micromatch/pull/247\n- https://devhub.checkmarx.com/cve-details/CVE-2024-4067\n- https://github.com/micromatch/micromatch/blob/2c56a8604b68c1099e7bc0f807ce0865a339747a/index.js#L448\n- https://github.com/micromatch/micromatch/commit/500d5d6f42f0e8dfa1cb5464c6cb420b1b6aaaa0\n- https://github.com/advisories/GHSA-952p-6rrq-rcjv","created":"2024-05-14T18:30:54.000Z","reported_by":null,"title":"Regular Expression Denial of Service (ReDoS) in micromatch","npm_advisory_id":null,"overview":"The NPM package `micromatch` is vulnerable to Regular Expression Denial of Service (ReDoS). The vulnerability occurs in `micromatch.braces()` in `index.js` because the pattern `.*` will greedily match anything. By passing a malicious payload, the pattern matching will keep backtracking to the input while it doesn't find the closing bracket. As the input size increases, the consumption time will also increase until it causes the application to hang or slow down. There was a merged fix but further testing shows the issue persists. This issue should be mitigated by using a safe pattern that won't start backtracking the regular expression due to greedy matching.\n","url":"https://github.com/advisories/GHSA-952p-6rrq-rcjv"}}} +{"type":"auditAdvisory","data":{"resolution":{"id":1098618,"path":"react-scripts>eslint-config-react-app>@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"4.0.5","paths":["@testing-library/jest-dom>@types/testing-library__jest-dom>@types/jest>expect>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>tailwindcss>fast-glob>micromatch","react-scripts>react-dev-utils>globby>fast-glob>micromatch","eslint-plugin-jest>@typescript-eslint/experimental-utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/parser>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest-resolve>jest-haste-map>micromatch","react-scripts>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>@jest/reporters>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>jest-config>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>jest-snapshot>@jest/transform>jest-haste-map>micromatch"]},{"version":"4.0.5","paths":["react-scripts>babel-jest>@jest/transform>micromatch","react-scripts>jest>@jest/core>@jest/transform>micromatch","react-scripts>jest>@jest/core>@jest/reporters>@jest/transform>micromatch","react-scripts>jest>@jest/core>jest-config>babel-jest>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>babel-jest>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>jest-snapshot>@jest/transform>micromatch"]},{"version":"4.0.5","paths":["react-scripts>eslint-webpack-plugin>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>jest-message-util>micromatch","react-scripts>jest>@jest/core>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/reporters>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/reporters>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/globals>@jest/environment>@jest/fake-timers>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>jest-config>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>micromatch","react-scripts>jest>jest-cli>@jest/core>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest-watch-typeahead>jest-watcher>@jest/test-result>@jest/console>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>tailwindcss>micromatch"]},{"version":"4.0.5","paths":["http-proxy-middleware>micromatch","react-scripts>webpack-dev-server>http-proxy-middleware>micromatch"]},{"version":"4.0.7","paths":["micromatch"]}],"metadata":null,"vulnerable_versions":"<4.0.8","module_name":"micromatch","severity":"moderate","github_advisory_id":"GHSA-952p-6rrq-rcjv","cves":["CVE-2024-4067"],"access":"public","patched_versions":">=4.0.8","cvss":{"score":0,"vectorString":null},"updated":"2024-08-23T17:27:31.000Z","recommendation":"Upgrade to version 4.0.8 or later","cwe":["CWE-1333"],"found_by":null,"deleted":null,"id":1098618,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2024-4067\n- https://github.com/micromatch/micromatch/issues/243\n- https://github.com/micromatch/micromatch/pull/247\n- https://devhub.checkmarx.com/cve-details/CVE-2024-4067\n- https://github.com/micromatch/micromatch/blob/2c56a8604b68c1099e7bc0f807ce0865a339747a/index.js#L448\n- https://github.com/micromatch/micromatch/commit/500d5d6f42f0e8dfa1cb5464c6cb420b1b6aaaa0\n- https://github.com/advisories/GHSA-952p-6rrq-rcjv","created":"2024-05-14T18:30:54.000Z","reported_by":null,"title":"Regular Expression Denial of Service (ReDoS) in micromatch","npm_advisory_id":null,"overview":"The NPM package `micromatch` is vulnerable to Regular Expression Denial of Service (ReDoS). The vulnerability occurs in `micromatch.braces()` in `index.js` because the pattern `.*` will greedily match anything. By passing a malicious payload, the pattern matching will keep backtracking to the input while it doesn't find the closing bracket. As the input size increases, the consumption time will also increase until it causes the application to hang or slow down. There was a merged fix but further testing shows the issue persists. This issue should be mitigated by using a safe pattern that won't start backtracking the regular expression due to greedy matching.\n","url":"https://github.com/advisories/GHSA-952p-6rrq-rcjv"}}} +{"type":"auditAdvisory","data":{"resolution":{"id":1098618,"path":"react-scripts>jest-resolve>jest-haste-map>micromatch","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"4.0.5","paths":["@testing-library/jest-dom>@types/testing-library__jest-dom>@types/jest>expect>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>tailwindcss>fast-glob>micromatch","react-scripts>react-dev-utils>globby>fast-glob>micromatch","eslint-plugin-jest>@typescript-eslint/experimental-utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/parser>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest-resolve>jest-haste-map>micromatch","react-scripts>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>@jest/reporters>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>jest-config>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>jest-snapshot>@jest/transform>jest-haste-map>micromatch"]},{"version":"4.0.5","paths":["react-scripts>babel-jest>@jest/transform>micromatch","react-scripts>jest>@jest/core>@jest/transform>micromatch","react-scripts>jest>@jest/core>@jest/reporters>@jest/transform>micromatch","react-scripts>jest>@jest/core>jest-config>babel-jest>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>babel-jest>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>jest-snapshot>@jest/transform>micromatch"]},{"version":"4.0.5","paths":["react-scripts>eslint-webpack-plugin>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>jest-message-util>micromatch","react-scripts>jest>@jest/core>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/reporters>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/reporters>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/globals>@jest/environment>@jest/fake-timers>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>jest-config>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>micromatch","react-scripts>jest>jest-cli>@jest/core>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest-watch-typeahead>jest-watcher>@jest/test-result>@jest/console>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>tailwindcss>micromatch"]},{"version":"4.0.5","paths":["http-proxy-middleware>micromatch","react-scripts>webpack-dev-server>http-proxy-middleware>micromatch"]},{"version":"4.0.7","paths":["micromatch"]}],"metadata":null,"vulnerable_versions":"<4.0.8","module_name":"micromatch","severity":"moderate","github_advisory_id":"GHSA-952p-6rrq-rcjv","cves":["CVE-2024-4067"],"access":"public","patched_versions":">=4.0.8","cvss":{"score":0,"vectorString":null},"updated":"2024-08-23T17:27:31.000Z","recommendation":"Upgrade to version 4.0.8 or later","cwe":["CWE-1333"],"found_by":null,"deleted":null,"id":1098618,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2024-4067\n- https://github.com/micromatch/micromatch/issues/243\n- https://github.com/micromatch/micromatch/pull/247\n- https://devhub.checkmarx.com/cve-details/CVE-2024-4067\n- https://github.com/micromatch/micromatch/blob/2c56a8604b68c1099e7bc0f807ce0865a339747a/index.js#L448\n- https://github.com/micromatch/micromatch/commit/500d5d6f42f0e8dfa1cb5464c6cb420b1b6aaaa0\n- https://github.com/advisories/GHSA-952p-6rrq-rcjv","created":"2024-05-14T18:30:54.000Z","reported_by":null,"title":"Regular Expression Denial of Service (ReDoS) in micromatch","npm_advisory_id":null,"overview":"The NPM package `micromatch` is vulnerable to Regular Expression Denial of Service (ReDoS). The vulnerability occurs in `micromatch.braces()` in `index.js` because the pattern `.*` will greedily match anything. By passing a malicious payload, the pattern matching will keep backtracking to the input while it doesn't find the closing bracket. As the input size increases, the consumption time will also increase until it causes the application to hang or slow down. There was a merged fix but further testing shows the issue persists. This issue should be mitigated by using a safe pattern that won't start backtracking the regular expression due to greedy matching.\n","url":"https://github.com/advisories/GHSA-952p-6rrq-rcjv"}}} +{"type":"auditAdvisory","data":{"resolution":{"id":1098618,"path":"react-scripts>babel-jest>@jest/transform>jest-haste-map>micromatch","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"4.0.5","paths":["@testing-library/jest-dom>@types/testing-library__jest-dom>@types/jest>expect>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>tailwindcss>fast-glob>micromatch","react-scripts>react-dev-utils>globby>fast-glob>micromatch","eslint-plugin-jest>@typescript-eslint/experimental-utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/parser>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest-resolve>jest-haste-map>micromatch","react-scripts>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>@jest/reporters>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>jest-config>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>jest-snapshot>@jest/transform>jest-haste-map>micromatch"]},{"version":"4.0.5","paths":["react-scripts>babel-jest>@jest/transform>micromatch","react-scripts>jest>@jest/core>@jest/transform>micromatch","react-scripts>jest>@jest/core>@jest/reporters>@jest/transform>micromatch","react-scripts>jest>@jest/core>jest-config>babel-jest>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>babel-jest>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>jest-snapshot>@jest/transform>micromatch"]},{"version":"4.0.5","paths":["react-scripts>eslint-webpack-plugin>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>jest-message-util>micromatch","react-scripts>jest>@jest/core>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/reporters>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/reporters>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/globals>@jest/environment>@jest/fake-timers>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>jest-config>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>micromatch","react-scripts>jest>jest-cli>@jest/core>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest-watch-typeahead>jest-watcher>@jest/test-result>@jest/console>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>tailwindcss>micromatch"]},{"version":"4.0.5","paths":["http-proxy-middleware>micromatch","react-scripts>webpack-dev-server>http-proxy-middleware>micromatch"]},{"version":"4.0.7","paths":["micromatch"]}],"metadata":null,"vulnerable_versions":"<4.0.8","module_name":"micromatch","severity":"moderate","github_advisory_id":"GHSA-952p-6rrq-rcjv","cves":["CVE-2024-4067"],"access":"public","patched_versions":">=4.0.8","cvss":{"score":0,"vectorString":null},"updated":"2024-08-23T17:27:31.000Z","recommendation":"Upgrade to version 4.0.8 or later","cwe":["CWE-1333"],"found_by":null,"deleted":null,"id":1098618,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2024-4067\n- https://github.com/micromatch/micromatch/issues/243\n- https://github.com/micromatch/micromatch/pull/247\n- https://devhub.checkmarx.com/cve-details/CVE-2024-4067\n- https://github.com/micromatch/micromatch/blob/2c56a8604b68c1099e7bc0f807ce0865a339747a/index.js#L448\n- https://github.com/micromatch/micromatch/commit/500d5d6f42f0e8dfa1cb5464c6cb420b1b6aaaa0\n- https://github.com/advisories/GHSA-952p-6rrq-rcjv","created":"2024-05-14T18:30:54.000Z","reported_by":null,"title":"Regular Expression Denial of Service (ReDoS) in micromatch","npm_advisory_id":null,"overview":"The NPM package `micromatch` is vulnerable to Regular Expression Denial of Service (ReDoS). The vulnerability occurs in `micromatch.braces()` in `index.js` because the pattern `.*` will greedily match anything. By passing a malicious payload, the pattern matching will keep backtracking to the input while it doesn't find the closing bracket. As the input size increases, the consumption time will also increase until it causes the application to hang or slow down. There was a merged fix but further testing shows the issue persists. This issue should be mitigated by using a safe pattern that won't start backtracking the regular expression due to greedy matching.\n","url":"https://github.com/advisories/GHSA-952p-6rrq-rcjv"}}} +{"type":"auditAdvisory","data":{"resolution":{"id":1098618,"path":"react-scripts>jest>@jest/core>@jest/transform>jest-haste-map>micromatch","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"4.0.5","paths":["@testing-library/jest-dom>@types/testing-library__jest-dom>@types/jest>expect>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>tailwindcss>fast-glob>micromatch","react-scripts>react-dev-utils>globby>fast-glob>micromatch","eslint-plugin-jest>@typescript-eslint/experimental-utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/parser>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest-resolve>jest-haste-map>micromatch","react-scripts>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>@jest/reporters>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>jest-config>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>jest-snapshot>@jest/transform>jest-haste-map>micromatch"]},{"version":"4.0.5","paths":["react-scripts>babel-jest>@jest/transform>micromatch","react-scripts>jest>@jest/core>@jest/transform>micromatch","react-scripts>jest>@jest/core>@jest/reporters>@jest/transform>micromatch","react-scripts>jest>@jest/core>jest-config>babel-jest>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>babel-jest>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>jest-snapshot>@jest/transform>micromatch"]},{"version":"4.0.5","paths":["react-scripts>eslint-webpack-plugin>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>jest-message-util>micromatch","react-scripts>jest>@jest/core>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/reporters>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/reporters>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/globals>@jest/environment>@jest/fake-timers>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>jest-config>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>micromatch","react-scripts>jest>jest-cli>@jest/core>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest-watch-typeahead>jest-watcher>@jest/test-result>@jest/console>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>tailwindcss>micromatch"]},{"version":"4.0.5","paths":["http-proxy-middleware>micromatch","react-scripts>webpack-dev-server>http-proxy-middleware>micromatch"]},{"version":"4.0.7","paths":["micromatch"]}],"metadata":null,"vulnerable_versions":"<4.0.8","module_name":"micromatch","severity":"moderate","github_advisory_id":"GHSA-952p-6rrq-rcjv","cves":["CVE-2024-4067"],"access":"public","patched_versions":">=4.0.8","cvss":{"score":0,"vectorString":null},"updated":"2024-08-23T17:27:31.000Z","recommendation":"Upgrade to version 4.0.8 or later","cwe":["CWE-1333"],"found_by":null,"deleted":null,"id":1098618,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2024-4067\n- https://github.com/micromatch/micromatch/issues/243\n- https://github.com/micromatch/micromatch/pull/247\n- https://devhub.checkmarx.com/cve-details/CVE-2024-4067\n- https://github.com/micromatch/micromatch/blob/2c56a8604b68c1099e7bc0f807ce0865a339747a/index.js#L448\n- https://github.com/micromatch/micromatch/commit/500d5d6f42f0e8dfa1cb5464c6cb420b1b6aaaa0\n- https://github.com/advisories/GHSA-952p-6rrq-rcjv","created":"2024-05-14T18:30:54.000Z","reported_by":null,"title":"Regular Expression Denial of Service (ReDoS) in micromatch","npm_advisory_id":null,"overview":"The NPM package `micromatch` is vulnerable to Regular Expression Denial of Service (ReDoS). The vulnerability occurs in `micromatch.braces()` in `index.js` because the pattern `.*` will greedily match anything. By passing a malicious payload, the pattern matching will keep backtracking to the input while it doesn't find the closing bracket. As the input size increases, the consumption time will also increase until it causes the application to hang or slow down. There was a merged fix but further testing shows the issue persists. This issue should be mitigated by using a safe pattern that won't start backtracking the regular expression due to greedy matching.\n","url":"https://github.com/advisories/GHSA-952p-6rrq-rcjv"}}} +{"type":"auditAdvisory","data":{"resolution":{"id":1098618,"path":"react-scripts>jest>@jest/core>@jest/reporters>@jest/transform>jest-haste-map>micromatch","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"4.0.5","paths":["@testing-library/jest-dom>@types/testing-library__jest-dom>@types/jest>expect>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>tailwindcss>fast-glob>micromatch","react-scripts>react-dev-utils>globby>fast-glob>micromatch","eslint-plugin-jest>@typescript-eslint/experimental-utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/parser>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest-resolve>jest-haste-map>micromatch","react-scripts>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>@jest/reporters>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>jest-config>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>jest-snapshot>@jest/transform>jest-haste-map>micromatch"]},{"version":"4.0.5","paths":["react-scripts>babel-jest>@jest/transform>micromatch","react-scripts>jest>@jest/core>@jest/transform>micromatch","react-scripts>jest>@jest/core>@jest/reporters>@jest/transform>micromatch","react-scripts>jest>@jest/core>jest-config>babel-jest>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>babel-jest>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>jest-snapshot>@jest/transform>micromatch"]},{"version":"4.0.5","paths":["react-scripts>eslint-webpack-plugin>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>jest-message-util>micromatch","react-scripts>jest>@jest/core>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/reporters>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/reporters>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/globals>@jest/environment>@jest/fake-timers>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>jest-config>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>micromatch","react-scripts>jest>jest-cli>@jest/core>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest-watch-typeahead>jest-watcher>@jest/test-result>@jest/console>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>tailwindcss>micromatch"]},{"version":"4.0.5","paths":["http-proxy-middleware>micromatch","react-scripts>webpack-dev-server>http-proxy-middleware>micromatch"]},{"version":"4.0.7","paths":["micromatch"]}],"metadata":null,"vulnerable_versions":"<4.0.8","module_name":"micromatch","severity":"moderate","github_advisory_id":"GHSA-952p-6rrq-rcjv","cves":["CVE-2024-4067"],"access":"public","patched_versions":">=4.0.8","cvss":{"score":0,"vectorString":null},"updated":"2024-08-23T17:27:31.000Z","recommendation":"Upgrade to version 4.0.8 or later","cwe":["CWE-1333"],"found_by":null,"deleted":null,"id":1098618,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2024-4067\n- https://github.com/micromatch/micromatch/issues/243\n- https://github.com/micromatch/micromatch/pull/247\n- https://devhub.checkmarx.com/cve-details/CVE-2024-4067\n- https://github.com/micromatch/micromatch/blob/2c56a8604b68c1099e7bc0f807ce0865a339747a/index.js#L448\n- https://github.com/micromatch/micromatch/commit/500d5d6f42f0e8dfa1cb5464c6cb420b1b6aaaa0\n- https://github.com/advisories/GHSA-952p-6rrq-rcjv","created":"2024-05-14T18:30:54.000Z","reported_by":null,"title":"Regular Expression Denial of Service (ReDoS) in micromatch","npm_advisory_id":null,"overview":"The NPM package `micromatch` is vulnerable to Regular Expression Denial of Service (ReDoS). The vulnerability occurs in `micromatch.braces()` in `index.js` because the pattern `.*` will greedily match anything. By passing a malicious payload, the pattern matching will keep backtracking to the input while it doesn't find the closing bracket. As the input size increases, the consumption time will also increase until it causes the application to hang or slow down. There was a merged fix but further testing shows the issue persists. This issue should be mitigated by using a safe pattern that won't start backtracking the regular expression due to greedy matching.\n","url":"https://github.com/advisories/GHSA-952p-6rrq-rcjv"}}} +{"type":"auditAdvisory","data":{"resolution":{"id":1098618,"path":"react-scripts>jest>@jest/core>jest-config>babel-jest>@jest/transform>jest-haste-map>micromatch","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"4.0.5","paths":["@testing-library/jest-dom>@types/testing-library__jest-dom>@types/jest>expect>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>tailwindcss>fast-glob>micromatch","react-scripts>react-dev-utils>globby>fast-glob>micromatch","eslint-plugin-jest>@typescript-eslint/experimental-utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/parser>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest-resolve>jest-haste-map>micromatch","react-scripts>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>@jest/reporters>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>jest-config>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>jest-snapshot>@jest/transform>jest-haste-map>micromatch"]},{"version":"4.0.5","paths":["react-scripts>babel-jest>@jest/transform>micromatch","react-scripts>jest>@jest/core>@jest/transform>micromatch","react-scripts>jest>@jest/core>@jest/reporters>@jest/transform>micromatch","react-scripts>jest>@jest/core>jest-config>babel-jest>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>babel-jest>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>jest-snapshot>@jest/transform>micromatch"]},{"version":"4.0.5","paths":["react-scripts>eslint-webpack-plugin>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>jest-message-util>micromatch","react-scripts>jest>@jest/core>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/reporters>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/reporters>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/globals>@jest/environment>@jest/fake-timers>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>jest-config>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>micromatch","react-scripts>jest>jest-cli>@jest/core>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest-watch-typeahead>jest-watcher>@jest/test-result>@jest/console>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>tailwindcss>micromatch"]},{"version":"4.0.5","paths":["http-proxy-middleware>micromatch","react-scripts>webpack-dev-server>http-proxy-middleware>micromatch"]},{"version":"4.0.7","paths":["micromatch"]}],"metadata":null,"vulnerable_versions":"<4.0.8","module_name":"micromatch","severity":"moderate","github_advisory_id":"GHSA-952p-6rrq-rcjv","cves":["CVE-2024-4067"],"access":"public","patched_versions":">=4.0.8","cvss":{"score":0,"vectorString":null},"updated":"2024-08-23T17:27:31.000Z","recommendation":"Upgrade to version 4.0.8 or later","cwe":["CWE-1333"],"found_by":null,"deleted":null,"id":1098618,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2024-4067\n- https://github.com/micromatch/micromatch/issues/243\n- https://github.com/micromatch/micromatch/pull/247\n- https://devhub.checkmarx.com/cve-details/CVE-2024-4067\n- https://github.com/micromatch/micromatch/blob/2c56a8604b68c1099e7bc0f807ce0865a339747a/index.js#L448\n- https://github.com/micromatch/micromatch/commit/500d5d6f42f0e8dfa1cb5464c6cb420b1b6aaaa0\n- https://github.com/advisories/GHSA-952p-6rrq-rcjv","created":"2024-05-14T18:30:54.000Z","reported_by":null,"title":"Regular Expression Denial of Service (ReDoS) in micromatch","npm_advisory_id":null,"overview":"The NPM package `micromatch` is vulnerable to Regular Expression Denial of Service (ReDoS). The vulnerability occurs in `micromatch.braces()` in `index.js` because the pattern `.*` will greedily match anything. By passing a malicious payload, the pattern matching will keep backtracking to the input while it doesn't find the closing bracket. As the input size increases, the consumption time will also increase until it causes the application to hang or slow down. There was a merged fix but further testing shows the issue persists. This issue should be mitigated by using a safe pattern that won't start backtracking the regular expression due to greedy matching.\n","url":"https://github.com/advisories/GHSA-952p-6rrq-rcjv"}}} +{"type":"auditAdvisory","data":{"resolution":{"id":1098618,"path":"react-scripts>jest>jest-cli>@jest/core>jest-config>babel-jest>@jest/transform>jest-haste-map>micromatch","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"4.0.5","paths":["@testing-library/jest-dom>@types/testing-library__jest-dom>@types/jest>expect>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>tailwindcss>fast-glob>micromatch","react-scripts>react-dev-utils>globby>fast-glob>micromatch","eslint-plugin-jest>@typescript-eslint/experimental-utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/parser>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest-resolve>jest-haste-map>micromatch","react-scripts>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>@jest/reporters>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>jest-config>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>jest-snapshot>@jest/transform>jest-haste-map>micromatch"]},{"version":"4.0.5","paths":["react-scripts>babel-jest>@jest/transform>micromatch","react-scripts>jest>@jest/core>@jest/transform>micromatch","react-scripts>jest>@jest/core>@jest/reporters>@jest/transform>micromatch","react-scripts>jest>@jest/core>jest-config>babel-jest>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>babel-jest>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>jest-snapshot>@jest/transform>micromatch"]},{"version":"4.0.5","paths":["react-scripts>eslint-webpack-plugin>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>jest-message-util>micromatch","react-scripts>jest>@jest/core>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/reporters>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/reporters>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/globals>@jest/environment>@jest/fake-timers>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>jest-config>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>micromatch","react-scripts>jest>jest-cli>@jest/core>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest-watch-typeahead>jest-watcher>@jest/test-result>@jest/console>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>tailwindcss>micromatch"]},{"version":"4.0.5","paths":["http-proxy-middleware>micromatch","react-scripts>webpack-dev-server>http-proxy-middleware>micromatch"]},{"version":"4.0.7","paths":["micromatch"]}],"metadata":null,"vulnerable_versions":"<4.0.8","module_name":"micromatch","severity":"moderate","github_advisory_id":"GHSA-952p-6rrq-rcjv","cves":["CVE-2024-4067"],"access":"public","patched_versions":">=4.0.8","cvss":{"score":0,"vectorString":null},"updated":"2024-08-23T17:27:31.000Z","recommendation":"Upgrade to version 4.0.8 or later","cwe":["CWE-1333"],"found_by":null,"deleted":null,"id":1098618,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2024-4067\n- https://github.com/micromatch/micromatch/issues/243\n- https://github.com/micromatch/micromatch/pull/247\n- https://devhub.checkmarx.com/cve-details/CVE-2024-4067\n- https://github.com/micromatch/micromatch/blob/2c56a8604b68c1099e7bc0f807ce0865a339747a/index.js#L448\n- https://github.com/micromatch/micromatch/commit/500d5d6f42f0e8dfa1cb5464c6cb420b1b6aaaa0\n- https://github.com/advisories/GHSA-952p-6rrq-rcjv","created":"2024-05-14T18:30:54.000Z","reported_by":null,"title":"Regular Expression Denial of Service (ReDoS) in micromatch","npm_advisory_id":null,"overview":"The NPM package `micromatch` is vulnerable to Regular Expression Denial of Service (ReDoS). The vulnerability occurs in `micromatch.braces()` in `index.js` because the pattern `.*` will greedily match anything. By passing a malicious payload, the pattern matching will keep backtracking to the input while it doesn't find the closing bracket. As the input size increases, the consumption time will also increase until it causes the application to hang or slow down. There was a merged fix but further testing shows the issue persists. This issue should be mitigated by using a safe pattern that won't start backtracking the regular expression due to greedy matching.\n","url":"https://github.com/advisories/GHSA-952p-6rrq-rcjv"}}} +{"type":"auditAdvisory","data":{"resolution":{"id":1098618,"path":"react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/transform>jest-haste-map>micromatch","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"4.0.5","paths":["@testing-library/jest-dom>@types/testing-library__jest-dom>@types/jest>expect>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>tailwindcss>fast-glob>micromatch","react-scripts>react-dev-utils>globby>fast-glob>micromatch","eslint-plugin-jest>@typescript-eslint/experimental-utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/parser>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest-resolve>jest-haste-map>micromatch","react-scripts>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>@jest/reporters>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>jest-config>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>jest-snapshot>@jest/transform>jest-haste-map>micromatch"]},{"version":"4.0.5","paths":["react-scripts>babel-jest>@jest/transform>micromatch","react-scripts>jest>@jest/core>@jest/transform>micromatch","react-scripts>jest>@jest/core>@jest/reporters>@jest/transform>micromatch","react-scripts>jest>@jest/core>jest-config>babel-jest>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>babel-jest>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>jest-snapshot>@jest/transform>micromatch"]},{"version":"4.0.5","paths":["react-scripts>eslint-webpack-plugin>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>jest-message-util>micromatch","react-scripts>jest>@jest/core>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/reporters>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/reporters>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/globals>@jest/environment>@jest/fake-timers>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>jest-config>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>micromatch","react-scripts>jest>jest-cli>@jest/core>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest-watch-typeahead>jest-watcher>@jest/test-result>@jest/console>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>tailwindcss>micromatch"]},{"version":"4.0.5","paths":["http-proxy-middleware>micromatch","react-scripts>webpack-dev-server>http-proxy-middleware>micromatch"]},{"version":"4.0.7","paths":["micromatch"]}],"metadata":null,"vulnerable_versions":"<4.0.8","module_name":"micromatch","severity":"moderate","github_advisory_id":"GHSA-952p-6rrq-rcjv","cves":["CVE-2024-4067"],"access":"public","patched_versions":">=4.0.8","cvss":{"score":0,"vectorString":null},"updated":"2024-08-23T17:27:31.000Z","recommendation":"Upgrade to version 4.0.8 or later","cwe":["CWE-1333"],"found_by":null,"deleted":null,"id":1098618,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2024-4067\n- https://github.com/micromatch/micromatch/issues/243\n- https://github.com/micromatch/micromatch/pull/247\n- https://devhub.checkmarx.com/cve-details/CVE-2024-4067\n- https://github.com/micromatch/micromatch/blob/2c56a8604b68c1099e7bc0f807ce0865a339747a/index.js#L448\n- https://github.com/micromatch/micromatch/commit/500d5d6f42f0e8dfa1cb5464c6cb420b1b6aaaa0\n- https://github.com/advisories/GHSA-952p-6rrq-rcjv","created":"2024-05-14T18:30:54.000Z","reported_by":null,"title":"Regular Expression Denial of Service (ReDoS) in micromatch","npm_advisory_id":null,"overview":"The NPM package `micromatch` is vulnerable to Regular Expression Denial of Service (ReDoS). The vulnerability occurs in `micromatch.braces()` in `index.js` because the pattern `.*` will greedily match anything. By passing a malicious payload, the pattern matching will keep backtracking to the input while it doesn't find the closing bracket. As the input size increases, the consumption time will also increase until it causes the application to hang or slow down. There was a merged fix but further testing shows the issue persists. This issue should be mitigated by using a safe pattern that won't start backtracking the regular expression due to greedy matching.\n","url":"https://github.com/advisories/GHSA-952p-6rrq-rcjv"}}} +{"type":"auditAdvisory","data":{"resolution":{"id":1098618,"path":"react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>jest-snapshot>@jest/transform>jest-haste-map>micromatch","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"4.0.5","paths":["@testing-library/jest-dom>@types/testing-library__jest-dom>@types/jest>expect>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>tailwindcss>fast-glob>micromatch","react-scripts>react-dev-utils>globby>fast-glob>micromatch","eslint-plugin-jest>@typescript-eslint/experimental-utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/parser>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest-resolve>jest-haste-map>micromatch","react-scripts>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>@jest/reporters>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>jest-config>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>jest-snapshot>@jest/transform>jest-haste-map>micromatch"]},{"version":"4.0.5","paths":["react-scripts>babel-jest>@jest/transform>micromatch","react-scripts>jest>@jest/core>@jest/transform>micromatch","react-scripts>jest>@jest/core>@jest/reporters>@jest/transform>micromatch","react-scripts>jest>@jest/core>jest-config>babel-jest>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>babel-jest>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>jest-snapshot>@jest/transform>micromatch"]},{"version":"4.0.5","paths":["react-scripts>eslint-webpack-plugin>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>jest-message-util>micromatch","react-scripts>jest>@jest/core>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/reporters>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/reporters>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/globals>@jest/environment>@jest/fake-timers>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>jest-config>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>micromatch","react-scripts>jest>jest-cli>@jest/core>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest-watch-typeahead>jest-watcher>@jest/test-result>@jest/console>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>tailwindcss>micromatch"]},{"version":"4.0.5","paths":["http-proxy-middleware>micromatch","react-scripts>webpack-dev-server>http-proxy-middleware>micromatch"]},{"version":"4.0.7","paths":["micromatch"]}],"metadata":null,"vulnerable_versions":"<4.0.8","module_name":"micromatch","severity":"moderate","github_advisory_id":"GHSA-952p-6rrq-rcjv","cves":["CVE-2024-4067"],"access":"public","patched_versions":">=4.0.8","cvss":{"score":0,"vectorString":null},"updated":"2024-08-23T17:27:31.000Z","recommendation":"Upgrade to version 4.0.8 or later","cwe":["CWE-1333"],"found_by":null,"deleted":null,"id":1098618,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2024-4067\n- https://github.com/micromatch/micromatch/issues/243\n- https://github.com/micromatch/micromatch/pull/247\n- https://devhub.checkmarx.com/cve-details/CVE-2024-4067\n- https://github.com/micromatch/micromatch/blob/2c56a8604b68c1099e7bc0f807ce0865a339747a/index.js#L448\n- https://github.com/micromatch/micromatch/commit/500d5d6f42f0e8dfa1cb5464c6cb420b1b6aaaa0\n- https://github.com/advisories/GHSA-952p-6rrq-rcjv","created":"2024-05-14T18:30:54.000Z","reported_by":null,"title":"Regular Expression Denial of Service (ReDoS) in micromatch","npm_advisory_id":null,"overview":"The NPM package `micromatch` is vulnerable to Regular Expression Denial of Service (ReDoS). The vulnerability occurs in `micromatch.braces()` in `index.js` because the pattern `.*` will greedily match anything. By passing a malicious payload, the pattern matching will keep backtracking to the input while it doesn't find the closing bracket. As the input size increases, the consumption time will also increase until it causes the application to hang or slow down. There was a merged fix but further testing shows the issue persists. This issue should be mitigated by using a safe pattern that won't start backtracking the regular expression due to greedy matching.\n","url":"https://github.com/advisories/GHSA-952p-6rrq-rcjv"}}} +{"type":"auditAdvisory","data":{"resolution":{"id":1098618,"path":"react-scripts>babel-jest>@jest/transform>micromatch","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"4.0.5","paths":["@testing-library/jest-dom>@types/testing-library__jest-dom>@types/jest>expect>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>tailwindcss>fast-glob>micromatch","react-scripts>react-dev-utils>globby>fast-glob>micromatch","eslint-plugin-jest>@typescript-eslint/experimental-utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/parser>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest-resolve>jest-haste-map>micromatch","react-scripts>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>@jest/reporters>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>jest-config>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>jest-snapshot>@jest/transform>jest-haste-map>micromatch"]},{"version":"4.0.5","paths":["react-scripts>babel-jest>@jest/transform>micromatch","react-scripts>jest>@jest/core>@jest/transform>micromatch","react-scripts>jest>@jest/core>@jest/reporters>@jest/transform>micromatch","react-scripts>jest>@jest/core>jest-config>babel-jest>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>babel-jest>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>jest-snapshot>@jest/transform>micromatch"]},{"version":"4.0.5","paths":["react-scripts>eslint-webpack-plugin>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>jest-message-util>micromatch","react-scripts>jest>@jest/core>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/reporters>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/reporters>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/globals>@jest/environment>@jest/fake-timers>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>jest-config>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>micromatch","react-scripts>jest>jest-cli>@jest/core>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest-watch-typeahead>jest-watcher>@jest/test-result>@jest/console>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>tailwindcss>micromatch"]},{"version":"4.0.5","paths":["http-proxy-middleware>micromatch","react-scripts>webpack-dev-server>http-proxy-middleware>micromatch"]},{"version":"4.0.7","paths":["micromatch"]}],"metadata":null,"vulnerable_versions":"<4.0.8","module_name":"micromatch","severity":"moderate","github_advisory_id":"GHSA-952p-6rrq-rcjv","cves":["CVE-2024-4067"],"access":"public","patched_versions":">=4.0.8","cvss":{"score":0,"vectorString":null},"updated":"2024-08-23T17:27:31.000Z","recommendation":"Upgrade to version 4.0.8 or later","cwe":["CWE-1333"],"found_by":null,"deleted":null,"id":1098618,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2024-4067\n- https://github.com/micromatch/micromatch/issues/243\n- https://github.com/micromatch/micromatch/pull/247\n- https://devhub.checkmarx.com/cve-details/CVE-2024-4067\n- https://github.com/micromatch/micromatch/blob/2c56a8604b68c1099e7bc0f807ce0865a339747a/index.js#L448\n- https://github.com/micromatch/micromatch/commit/500d5d6f42f0e8dfa1cb5464c6cb420b1b6aaaa0\n- https://github.com/advisories/GHSA-952p-6rrq-rcjv","created":"2024-05-14T18:30:54.000Z","reported_by":null,"title":"Regular Expression Denial of Service (ReDoS) in micromatch","npm_advisory_id":null,"overview":"The NPM package `micromatch` is vulnerable to Regular Expression Denial of Service (ReDoS). The vulnerability occurs in `micromatch.braces()` in `index.js` because the pattern `.*` will greedily match anything. By passing a malicious payload, the pattern matching will keep backtracking to the input while it doesn't find the closing bracket. As the input size increases, the consumption time will also increase until it causes the application to hang or slow down. There was a merged fix but further testing shows the issue persists. This issue should be mitigated by using a safe pattern that won't start backtracking the regular expression due to greedy matching.\n","url":"https://github.com/advisories/GHSA-952p-6rrq-rcjv"}}} +{"type":"auditAdvisory","data":{"resolution":{"id":1098618,"path":"react-scripts>jest>@jest/core>@jest/transform>micromatch","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"4.0.5","paths":["@testing-library/jest-dom>@types/testing-library__jest-dom>@types/jest>expect>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>tailwindcss>fast-glob>micromatch","react-scripts>react-dev-utils>globby>fast-glob>micromatch","eslint-plugin-jest>@typescript-eslint/experimental-utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/parser>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest-resolve>jest-haste-map>micromatch","react-scripts>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>@jest/reporters>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>jest-config>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>jest-snapshot>@jest/transform>jest-haste-map>micromatch"]},{"version":"4.0.5","paths":["react-scripts>babel-jest>@jest/transform>micromatch","react-scripts>jest>@jest/core>@jest/transform>micromatch","react-scripts>jest>@jest/core>@jest/reporters>@jest/transform>micromatch","react-scripts>jest>@jest/core>jest-config>babel-jest>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>babel-jest>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>jest-snapshot>@jest/transform>micromatch"]},{"version":"4.0.5","paths":["react-scripts>eslint-webpack-plugin>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>jest-message-util>micromatch","react-scripts>jest>@jest/core>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/reporters>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/reporters>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/globals>@jest/environment>@jest/fake-timers>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>jest-config>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>micromatch","react-scripts>jest>jest-cli>@jest/core>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest-watch-typeahead>jest-watcher>@jest/test-result>@jest/console>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>tailwindcss>micromatch"]},{"version":"4.0.5","paths":["http-proxy-middleware>micromatch","react-scripts>webpack-dev-server>http-proxy-middleware>micromatch"]},{"version":"4.0.7","paths":["micromatch"]}],"metadata":null,"vulnerable_versions":"<4.0.8","module_name":"micromatch","severity":"moderate","github_advisory_id":"GHSA-952p-6rrq-rcjv","cves":["CVE-2024-4067"],"access":"public","patched_versions":">=4.0.8","cvss":{"score":0,"vectorString":null},"updated":"2024-08-23T17:27:31.000Z","recommendation":"Upgrade to version 4.0.8 or later","cwe":["CWE-1333"],"found_by":null,"deleted":null,"id":1098618,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2024-4067\n- https://github.com/micromatch/micromatch/issues/243\n- https://github.com/micromatch/micromatch/pull/247\n- https://devhub.checkmarx.com/cve-details/CVE-2024-4067\n- https://github.com/micromatch/micromatch/blob/2c56a8604b68c1099e7bc0f807ce0865a339747a/index.js#L448\n- https://github.com/micromatch/micromatch/commit/500d5d6f42f0e8dfa1cb5464c6cb420b1b6aaaa0\n- https://github.com/advisories/GHSA-952p-6rrq-rcjv","created":"2024-05-14T18:30:54.000Z","reported_by":null,"title":"Regular Expression Denial of Service (ReDoS) in micromatch","npm_advisory_id":null,"overview":"The NPM package `micromatch` is vulnerable to Regular Expression Denial of Service (ReDoS). The vulnerability occurs in `micromatch.braces()` in `index.js` because the pattern `.*` will greedily match anything. By passing a malicious payload, the pattern matching will keep backtracking to the input while it doesn't find the closing bracket. As the input size increases, the consumption time will also increase until it causes the application to hang or slow down. There was a merged fix but further testing shows the issue persists. This issue should be mitigated by using a safe pattern that won't start backtracking the regular expression due to greedy matching.\n","url":"https://github.com/advisories/GHSA-952p-6rrq-rcjv"}}} +{"type":"auditAdvisory","data":{"resolution":{"id":1098618,"path":"react-scripts>jest>@jest/core>@jest/reporters>@jest/transform>micromatch","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"4.0.5","paths":["@testing-library/jest-dom>@types/testing-library__jest-dom>@types/jest>expect>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>tailwindcss>fast-glob>micromatch","react-scripts>react-dev-utils>globby>fast-glob>micromatch","eslint-plugin-jest>@typescript-eslint/experimental-utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/parser>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest-resolve>jest-haste-map>micromatch","react-scripts>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>@jest/reporters>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>jest-config>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>jest-snapshot>@jest/transform>jest-haste-map>micromatch"]},{"version":"4.0.5","paths":["react-scripts>babel-jest>@jest/transform>micromatch","react-scripts>jest>@jest/core>@jest/transform>micromatch","react-scripts>jest>@jest/core>@jest/reporters>@jest/transform>micromatch","react-scripts>jest>@jest/core>jest-config>babel-jest>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>babel-jest>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>jest-snapshot>@jest/transform>micromatch"]},{"version":"4.0.5","paths":["react-scripts>eslint-webpack-plugin>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>jest-message-util>micromatch","react-scripts>jest>@jest/core>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/reporters>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/reporters>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/globals>@jest/environment>@jest/fake-timers>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>jest-config>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>micromatch","react-scripts>jest>jest-cli>@jest/core>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest-watch-typeahead>jest-watcher>@jest/test-result>@jest/console>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>tailwindcss>micromatch"]},{"version":"4.0.5","paths":["http-proxy-middleware>micromatch","react-scripts>webpack-dev-server>http-proxy-middleware>micromatch"]},{"version":"4.0.7","paths":["micromatch"]}],"metadata":null,"vulnerable_versions":"<4.0.8","module_name":"micromatch","severity":"moderate","github_advisory_id":"GHSA-952p-6rrq-rcjv","cves":["CVE-2024-4067"],"access":"public","patched_versions":">=4.0.8","cvss":{"score":0,"vectorString":null},"updated":"2024-08-23T17:27:31.000Z","recommendation":"Upgrade to version 4.0.8 or later","cwe":["CWE-1333"],"found_by":null,"deleted":null,"id":1098618,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2024-4067\n- https://github.com/micromatch/micromatch/issues/243\n- https://github.com/micromatch/micromatch/pull/247\n- https://devhub.checkmarx.com/cve-details/CVE-2024-4067\n- https://github.com/micromatch/micromatch/blob/2c56a8604b68c1099e7bc0f807ce0865a339747a/index.js#L448\n- https://github.com/micromatch/micromatch/commit/500d5d6f42f0e8dfa1cb5464c6cb420b1b6aaaa0\n- https://github.com/advisories/GHSA-952p-6rrq-rcjv","created":"2024-05-14T18:30:54.000Z","reported_by":null,"title":"Regular Expression Denial of Service (ReDoS) in micromatch","npm_advisory_id":null,"overview":"The NPM package `micromatch` is vulnerable to Regular Expression Denial of Service (ReDoS). The vulnerability occurs in `micromatch.braces()` in `index.js` because the pattern `.*` will greedily match anything. By passing a malicious payload, the pattern matching will keep backtracking to the input while it doesn't find the closing bracket. As the input size increases, the consumption time will also increase until it causes the application to hang or slow down. There was a merged fix but further testing shows the issue persists. This issue should be mitigated by using a safe pattern that won't start backtracking the regular expression due to greedy matching.\n","url":"https://github.com/advisories/GHSA-952p-6rrq-rcjv"}}} +{"type":"auditAdvisory","data":{"resolution":{"id":1098618,"path":"react-scripts>jest>@jest/core>jest-config>babel-jest>@jest/transform>micromatch","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"4.0.5","paths":["@testing-library/jest-dom>@types/testing-library__jest-dom>@types/jest>expect>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>tailwindcss>fast-glob>micromatch","react-scripts>react-dev-utils>globby>fast-glob>micromatch","eslint-plugin-jest>@typescript-eslint/experimental-utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/parser>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest-resolve>jest-haste-map>micromatch","react-scripts>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>@jest/reporters>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>jest-config>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>jest-snapshot>@jest/transform>jest-haste-map>micromatch"]},{"version":"4.0.5","paths":["react-scripts>babel-jest>@jest/transform>micromatch","react-scripts>jest>@jest/core>@jest/transform>micromatch","react-scripts>jest>@jest/core>@jest/reporters>@jest/transform>micromatch","react-scripts>jest>@jest/core>jest-config>babel-jest>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>babel-jest>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>jest-snapshot>@jest/transform>micromatch"]},{"version":"4.0.5","paths":["react-scripts>eslint-webpack-plugin>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>jest-message-util>micromatch","react-scripts>jest>@jest/core>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/reporters>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/reporters>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/globals>@jest/environment>@jest/fake-timers>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>jest-config>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>micromatch","react-scripts>jest>jest-cli>@jest/core>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest-watch-typeahead>jest-watcher>@jest/test-result>@jest/console>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>tailwindcss>micromatch"]},{"version":"4.0.5","paths":["http-proxy-middleware>micromatch","react-scripts>webpack-dev-server>http-proxy-middleware>micromatch"]},{"version":"4.0.7","paths":["micromatch"]}],"metadata":null,"vulnerable_versions":"<4.0.8","module_name":"micromatch","severity":"moderate","github_advisory_id":"GHSA-952p-6rrq-rcjv","cves":["CVE-2024-4067"],"access":"public","patched_versions":">=4.0.8","cvss":{"score":0,"vectorString":null},"updated":"2024-08-23T17:27:31.000Z","recommendation":"Upgrade to version 4.0.8 or later","cwe":["CWE-1333"],"found_by":null,"deleted":null,"id":1098618,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2024-4067\n- https://github.com/micromatch/micromatch/issues/243\n- https://github.com/micromatch/micromatch/pull/247\n- https://devhub.checkmarx.com/cve-details/CVE-2024-4067\n- https://github.com/micromatch/micromatch/blob/2c56a8604b68c1099e7bc0f807ce0865a339747a/index.js#L448\n- https://github.com/micromatch/micromatch/commit/500d5d6f42f0e8dfa1cb5464c6cb420b1b6aaaa0\n- https://github.com/advisories/GHSA-952p-6rrq-rcjv","created":"2024-05-14T18:30:54.000Z","reported_by":null,"title":"Regular Expression Denial of Service (ReDoS) in micromatch","npm_advisory_id":null,"overview":"The NPM package `micromatch` is vulnerable to Regular Expression Denial of Service (ReDoS). The vulnerability occurs in `micromatch.braces()` in `index.js` because the pattern `.*` will greedily match anything. By passing a malicious payload, the pattern matching will keep backtracking to the input while it doesn't find the closing bracket. As the input size increases, the consumption time will also increase until it causes the application to hang or slow down. There was a merged fix but further testing shows the issue persists. This issue should be mitigated by using a safe pattern that won't start backtracking the regular expression due to greedy matching.\n","url":"https://github.com/advisories/GHSA-952p-6rrq-rcjv"}}} +{"type":"auditAdvisory","data":{"resolution":{"id":1098618,"path":"react-scripts>jest>jest-cli>@jest/core>jest-config>babel-jest>@jest/transform>micromatch","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"4.0.5","paths":["@testing-library/jest-dom>@types/testing-library__jest-dom>@types/jest>expect>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>tailwindcss>fast-glob>micromatch","react-scripts>react-dev-utils>globby>fast-glob>micromatch","eslint-plugin-jest>@typescript-eslint/experimental-utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/parser>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest-resolve>jest-haste-map>micromatch","react-scripts>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>@jest/reporters>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>jest-config>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>jest-snapshot>@jest/transform>jest-haste-map>micromatch"]},{"version":"4.0.5","paths":["react-scripts>babel-jest>@jest/transform>micromatch","react-scripts>jest>@jest/core>@jest/transform>micromatch","react-scripts>jest>@jest/core>@jest/reporters>@jest/transform>micromatch","react-scripts>jest>@jest/core>jest-config>babel-jest>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>babel-jest>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>jest-snapshot>@jest/transform>micromatch"]},{"version":"4.0.5","paths":["react-scripts>eslint-webpack-plugin>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>jest-message-util>micromatch","react-scripts>jest>@jest/core>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/reporters>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/reporters>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/globals>@jest/environment>@jest/fake-timers>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>jest-config>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>micromatch","react-scripts>jest>jest-cli>@jest/core>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest-watch-typeahead>jest-watcher>@jest/test-result>@jest/console>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>tailwindcss>micromatch"]},{"version":"4.0.5","paths":["http-proxy-middleware>micromatch","react-scripts>webpack-dev-server>http-proxy-middleware>micromatch"]},{"version":"4.0.7","paths":["micromatch"]}],"metadata":null,"vulnerable_versions":"<4.0.8","module_name":"micromatch","severity":"moderate","github_advisory_id":"GHSA-952p-6rrq-rcjv","cves":["CVE-2024-4067"],"access":"public","patched_versions":">=4.0.8","cvss":{"score":0,"vectorString":null},"updated":"2024-08-23T17:27:31.000Z","recommendation":"Upgrade to version 4.0.8 or later","cwe":["CWE-1333"],"found_by":null,"deleted":null,"id":1098618,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2024-4067\n- https://github.com/micromatch/micromatch/issues/243\n- https://github.com/micromatch/micromatch/pull/247\n- https://devhub.checkmarx.com/cve-details/CVE-2024-4067\n- https://github.com/micromatch/micromatch/blob/2c56a8604b68c1099e7bc0f807ce0865a339747a/index.js#L448\n- https://github.com/micromatch/micromatch/commit/500d5d6f42f0e8dfa1cb5464c6cb420b1b6aaaa0\n- https://github.com/advisories/GHSA-952p-6rrq-rcjv","created":"2024-05-14T18:30:54.000Z","reported_by":null,"title":"Regular Expression Denial of Service (ReDoS) in micromatch","npm_advisory_id":null,"overview":"The NPM package `micromatch` is vulnerable to Regular Expression Denial of Service (ReDoS). The vulnerability occurs in `micromatch.braces()` in `index.js` because the pattern `.*` will greedily match anything. By passing a malicious payload, the pattern matching will keep backtracking to the input while it doesn't find the closing bracket. As the input size increases, the consumption time will also increase until it causes the application to hang or slow down. There was a merged fix but further testing shows the issue persists. This issue should be mitigated by using a safe pattern that won't start backtracking the regular expression due to greedy matching.\n","url":"https://github.com/advisories/GHSA-952p-6rrq-rcjv"}}} +{"type":"auditAdvisory","data":{"resolution":{"id":1098618,"path":"react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/transform>micromatch","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"4.0.5","paths":["@testing-library/jest-dom>@types/testing-library__jest-dom>@types/jest>expect>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>tailwindcss>fast-glob>micromatch","react-scripts>react-dev-utils>globby>fast-glob>micromatch","eslint-plugin-jest>@typescript-eslint/experimental-utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/parser>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest-resolve>jest-haste-map>micromatch","react-scripts>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>@jest/reporters>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>jest-config>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>jest-snapshot>@jest/transform>jest-haste-map>micromatch"]},{"version":"4.0.5","paths":["react-scripts>babel-jest>@jest/transform>micromatch","react-scripts>jest>@jest/core>@jest/transform>micromatch","react-scripts>jest>@jest/core>@jest/reporters>@jest/transform>micromatch","react-scripts>jest>@jest/core>jest-config>babel-jest>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>babel-jest>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>jest-snapshot>@jest/transform>micromatch"]},{"version":"4.0.5","paths":["react-scripts>eslint-webpack-plugin>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>jest-message-util>micromatch","react-scripts>jest>@jest/core>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/reporters>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/reporters>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/globals>@jest/environment>@jest/fake-timers>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>jest-config>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>micromatch","react-scripts>jest>jest-cli>@jest/core>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest-watch-typeahead>jest-watcher>@jest/test-result>@jest/console>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>tailwindcss>micromatch"]},{"version":"4.0.5","paths":["http-proxy-middleware>micromatch","react-scripts>webpack-dev-server>http-proxy-middleware>micromatch"]},{"version":"4.0.7","paths":["micromatch"]}],"metadata":null,"vulnerable_versions":"<4.0.8","module_name":"micromatch","severity":"moderate","github_advisory_id":"GHSA-952p-6rrq-rcjv","cves":["CVE-2024-4067"],"access":"public","patched_versions":">=4.0.8","cvss":{"score":0,"vectorString":null},"updated":"2024-08-23T17:27:31.000Z","recommendation":"Upgrade to version 4.0.8 or later","cwe":["CWE-1333"],"found_by":null,"deleted":null,"id":1098618,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2024-4067\n- https://github.com/micromatch/micromatch/issues/243\n- https://github.com/micromatch/micromatch/pull/247\n- https://devhub.checkmarx.com/cve-details/CVE-2024-4067\n- https://github.com/micromatch/micromatch/blob/2c56a8604b68c1099e7bc0f807ce0865a339747a/index.js#L448\n- https://github.com/micromatch/micromatch/commit/500d5d6f42f0e8dfa1cb5464c6cb420b1b6aaaa0\n- https://github.com/advisories/GHSA-952p-6rrq-rcjv","created":"2024-05-14T18:30:54.000Z","reported_by":null,"title":"Regular Expression Denial of Service (ReDoS) in micromatch","npm_advisory_id":null,"overview":"The NPM package `micromatch` is vulnerable to Regular Expression Denial of Service (ReDoS). The vulnerability occurs in `micromatch.braces()` in `index.js` because the pattern `.*` will greedily match anything. By passing a malicious payload, the pattern matching will keep backtracking to the input while it doesn't find the closing bracket. As the input size increases, the consumption time will also increase until it causes the application to hang or slow down. There was a merged fix but further testing shows the issue persists. This issue should be mitigated by using a safe pattern that won't start backtracking the regular expression due to greedy matching.\n","url":"https://github.com/advisories/GHSA-952p-6rrq-rcjv"}}} +{"type":"auditAdvisory","data":{"resolution":{"id":1098618,"path":"react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>jest-snapshot>@jest/transform>micromatch","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"4.0.5","paths":["@testing-library/jest-dom>@types/testing-library__jest-dom>@types/jest>expect>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>tailwindcss>fast-glob>micromatch","react-scripts>react-dev-utils>globby>fast-glob>micromatch","eslint-plugin-jest>@typescript-eslint/experimental-utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/parser>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest-resolve>jest-haste-map>micromatch","react-scripts>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>@jest/reporters>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>jest-config>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>jest-snapshot>@jest/transform>jest-haste-map>micromatch"]},{"version":"4.0.5","paths":["react-scripts>babel-jest>@jest/transform>micromatch","react-scripts>jest>@jest/core>@jest/transform>micromatch","react-scripts>jest>@jest/core>@jest/reporters>@jest/transform>micromatch","react-scripts>jest>@jest/core>jest-config>babel-jest>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>babel-jest>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>jest-snapshot>@jest/transform>micromatch"]},{"version":"4.0.5","paths":["react-scripts>eslint-webpack-plugin>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>jest-message-util>micromatch","react-scripts>jest>@jest/core>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/reporters>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/reporters>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/globals>@jest/environment>@jest/fake-timers>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>jest-config>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>micromatch","react-scripts>jest>jest-cli>@jest/core>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest-watch-typeahead>jest-watcher>@jest/test-result>@jest/console>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>tailwindcss>micromatch"]},{"version":"4.0.5","paths":["http-proxy-middleware>micromatch","react-scripts>webpack-dev-server>http-proxy-middleware>micromatch"]},{"version":"4.0.7","paths":["micromatch"]}],"metadata":null,"vulnerable_versions":"<4.0.8","module_name":"micromatch","severity":"moderate","github_advisory_id":"GHSA-952p-6rrq-rcjv","cves":["CVE-2024-4067"],"access":"public","patched_versions":">=4.0.8","cvss":{"score":0,"vectorString":null},"updated":"2024-08-23T17:27:31.000Z","recommendation":"Upgrade to version 4.0.8 or later","cwe":["CWE-1333"],"found_by":null,"deleted":null,"id":1098618,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2024-4067\n- https://github.com/micromatch/micromatch/issues/243\n- https://github.com/micromatch/micromatch/pull/247\n- https://devhub.checkmarx.com/cve-details/CVE-2024-4067\n- https://github.com/micromatch/micromatch/blob/2c56a8604b68c1099e7bc0f807ce0865a339747a/index.js#L448\n- https://github.com/micromatch/micromatch/commit/500d5d6f42f0e8dfa1cb5464c6cb420b1b6aaaa0\n- https://github.com/advisories/GHSA-952p-6rrq-rcjv","created":"2024-05-14T18:30:54.000Z","reported_by":null,"title":"Regular Expression Denial of Service (ReDoS) in micromatch","npm_advisory_id":null,"overview":"The NPM package `micromatch` is vulnerable to Regular Expression Denial of Service (ReDoS). The vulnerability occurs in `micromatch.braces()` in `index.js` because the pattern `.*` will greedily match anything. By passing a malicious payload, the pattern matching will keep backtracking to the input while it doesn't find the closing bracket. As the input size increases, the consumption time will also increase until it causes the application to hang or slow down. There was a merged fix but further testing shows the issue persists. This issue should be mitigated by using a safe pattern that won't start backtracking the regular expression due to greedy matching.\n","url":"https://github.com/advisories/GHSA-952p-6rrq-rcjv"}}} +{"type":"auditAdvisory","data":{"resolution":{"id":1098618,"path":"react-scripts>eslint-webpack-plugin>micromatch","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"4.0.5","paths":["@testing-library/jest-dom>@types/testing-library__jest-dom>@types/jest>expect>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>tailwindcss>fast-glob>micromatch","react-scripts>react-dev-utils>globby>fast-glob>micromatch","eslint-plugin-jest>@typescript-eslint/experimental-utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/parser>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest-resolve>jest-haste-map>micromatch","react-scripts>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>@jest/reporters>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>jest-config>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>jest-snapshot>@jest/transform>jest-haste-map>micromatch"]},{"version":"4.0.5","paths":["react-scripts>babel-jest>@jest/transform>micromatch","react-scripts>jest>@jest/core>@jest/transform>micromatch","react-scripts>jest>@jest/core>@jest/reporters>@jest/transform>micromatch","react-scripts>jest>@jest/core>jest-config>babel-jest>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>babel-jest>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>jest-snapshot>@jest/transform>micromatch"]},{"version":"4.0.5","paths":["react-scripts>eslint-webpack-plugin>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>jest-message-util>micromatch","react-scripts>jest>@jest/core>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/reporters>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/reporters>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/globals>@jest/environment>@jest/fake-timers>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>jest-config>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>micromatch","react-scripts>jest>jest-cli>@jest/core>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest-watch-typeahead>jest-watcher>@jest/test-result>@jest/console>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>tailwindcss>micromatch"]},{"version":"4.0.5","paths":["http-proxy-middleware>micromatch","react-scripts>webpack-dev-server>http-proxy-middleware>micromatch"]},{"version":"4.0.7","paths":["micromatch"]}],"metadata":null,"vulnerable_versions":"<4.0.8","module_name":"micromatch","severity":"moderate","github_advisory_id":"GHSA-952p-6rrq-rcjv","cves":["CVE-2024-4067"],"access":"public","patched_versions":">=4.0.8","cvss":{"score":0,"vectorString":null},"updated":"2024-08-23T17:27:31.000Z","recommendation":"Upgrade to version 4.0.8 or later","cwe":["CWE-1333"],"found_by":null,"deleted":null,"id":1098618,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2024-4067\n- https://github.com/micromatch/micromatch/issues/243\n- https://github.com/micromatch/micromatch/pull/247\n- https://devhub.checkmarx.com/cve-details/CVE-2024-4067\n- https://github.com/micromatch/micromatch/blob/2c56a8604b68c1099e7bc0f807ce0865a339747a/index.js#L448\n- https://github.com/micromatch/micromatch/commit/500d5d6f42f0e8dfa1cb5464c6cb420b1b6aaaa0\n- https://github.com/advisories/GHSA-952p-6rrq-rcjv","created":"2024-05-14T18:30:54.000Z","reported_by":null,"title":"Regular Expression Denial of Service (ReDoS) in micromatch","npm_advisory_id":null,"overview":"The NPM package `micromatch` is vulnerable to Regular Expression Denial of Service (ReDoS). The vulnerability occurs in `micromatch.braces()` in `index.js` because the pattern `.*` will greedily match anything. By passing a malicious payload, the pattern matching will keep backtracking to the input while it doesn't find the closing bracket. As the input size increases, the consumption time will also increase until it causes the application to hang or slow down. There was a merged fix but further testing shows the issue persists. This issue should be mitigated by using a safe pattern that won't start backtracking the regular expression due to greedy matching.\n","url":"https://github.com/advisories/GHSA-952p-6rrq-rcjv"}}} +{"type":"auditAdvisory","data":{"resolution":{"id":1098618,"path":"react-scripts>jest>@jest/core>jest-message-util>micromatch","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"4.0.5","paths":["@testing-library/jest-dom>@types/testing-library__jest-dom>@types/jest>expect>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>tailwindcss>fast-glob>micromatch","react-scripts>react-dev-utils>globby>fast-glob>micromatch","eslint-plugin-jest>@typescript-eslint/experimental-utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/parser>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest-resolve>jest-haste-map>micromatch","react-scripts>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>@jest/reporters>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>jest-config>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>jest-snapshot>@jest/transform>jest-haste-map>micromatch"]},{"version":"4.0.5","paths":["react-scripts>babel-jest>@jest/transform>micromatch","react-scripts>jest>@jest/core>@jest/transform>micromatch","react-scripts>jest>@jest/core>@jest/reporters>@jest/transform>micromatch","react-scripts>jest>@jest/core>jest-config>babel-jest>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>babel-jest>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>jest-snapshot>@jest/transform>micromatch"]},{"version":"4.0.5","paths":["react-scripts>eslint-webpack-plugin>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>jest-message-util>micromatch","react-scripts>jest>@jest/core>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/reporters>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/reporters>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/globals>@jest/environment>@jest/fake-timers>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>jest-config>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>micromatch","react-scripts>jest>jest-cli>@jest/core>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest-watch-typeahead>jest-watcher>@jest/test-result>@jest/console>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>tailwindcss>micromatch"]},{"version":"4.0.5","paths":["http-proxy-middleware>micromatch","react-scripts>webpack-dev-server>http-proxy-middleware>micromatch"]},{"version":"4.0.7","paths":["micromatch"]}],"metadata":null,"vulnerable_versions":"<4.0.8","module_name":"micromatch","severity":"moderate","github_advisory_id":"GHSA-952p-6rrq-rcjv","cves":["CVE-2024-4067"],"access":"public","patched_versions":">=4.0.8","cvss":{"score":0,"vectorString":null},"updated":"2024-08-23T17:27:31.000Z","recommendation":"Upgrade to version 4.0.8 or later","cwe":["CWE-1333"],"found_by":null,"deleted":null,"id":1098618,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2024-4067\n- https://github.com/micromatch/micromatch/issues/243\n- https://github.com/micromatch/micromatch/pull/247\n- https://devhub.checkmarx.com/cve-details/CVE-2024-4067\n- https://github.com/micromatch/micromatch/blob/2c56a8604b68c1099e7bc0f807ce0865a339747a/index.js#L448\n- https://github.com/micromatch/micromatch/commit/500d5d6f42f0e8dfa1cb5464c6cb420b1b6aaaa0\n- https://github.com/advisories/GHSA-952p-6rrq-rcjv","created":"2024-05-14T18:30:54.000Z","reported_by":null,"title":"Regular Expression Denial of Service (ReDoS) in micromatch","npm_advisory_id":null,"overview":"The NPM package `micromatch` is vulnerable to Regular Expression Denial of Service (ReDoS). The vulnerability occurs in `micromatch.braces()` in `index.js` because the pattern `.*` will greedily match anything. By passing a malicious payload, the pattern matching will keep backtracking to the input while it doesn't find the closing bracket. As the input size increases, the consumption time will also increase until it causes the application to hang or slow down. There was a merged fix but further testing shows the issue persists. This issue should be mitigated by using a safe pattern that won't start backtracking the regular expression due to greedy matching.\n","url":"https://github.com/advisories/GHSA-952p-6rrq-rcjv"}}} +{"type":"auditAdvisory","data":{"resolution":{"id":1098618,"path":"react-scripts>jest>@jest/core>@jest/console>jest-message-util>micromatch","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"4.0.5","paths":["@testing-library/jest-dom>@types/testing-library__jest-dom>@types/jest>expect>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>tailwindcss>fast-glob>micromatch","react-scripts>react-dev-utils>globby>fast-glob>micromatch","eslint-plugin-jest>@typescript-eslint/experimental-utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/parser>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest-resolve>jest-haste-map>micromatch","react-scripts>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>@jest/reporters>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>jest-config>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>jest-snapshot>@jest/transform>jest-haste-map>micromatch"]},{"version":"4.0.5","paths":["react-scripts>babel-jest>@jest/transform>micromatch","react-scripts>jest>@jest/core>@jest/transform>micromatch","react-scripts>jest>@jest/core>@jest/reporters>@jest/transform>micromatch","react-scripts>jest>@jest/core>jest-config>babel-jest>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>babel-jest>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>jest-snapshot>@jest/transform>micromatch"]},{"version":"4.0.5","paths":["react-scripts>eslint-webpack-plugin>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>jest-message-util>micromatch","react-scripts>jest>@jest/core>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/reporters>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/reporters>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/globals>@jest/environment>@jest/fake-timers>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>jest-config>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>micromatch","react-scripts>jest>jest-cli>@jest/core>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest-watch-typeahead>jest-watcher>@jest/test-result>@jest/console>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>tailwindcss>micromatch"]},{"version":"4.0.5","paths":["http-proxy-middleware>micromatch","react-scripts>webpack-dev-server>http-proxy-middleware>micromatch"]},{"version":"4.0.7","paths":["micromatch"]}],"metadata":null,"vulnerable_versions":"<4.0.8","module_name":"micromatch","severity":"moderate","github_advisory_id":"GHSA-952p-6rrq-rcjv","cves":["CVE-2024-4067"],"access":"public","patched_versions":">=4.0.8","cvss":{"score":0,"vectorString":null},"updated":"2024-08-23T17:27:31.000Z","recommendation":"Upgrade to version 4.0.8 or later","cwe":["CWE-1333"],"found_by":null,"deleted":null,"id":1098618,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2024-4067\n- https://github.com/micromatch/micromatch/issues/243\n- https://github.com/micromatch/micromatch/pull/247\n- https://devhub.checkmarx.com/cve-details/CVE-2024-4067\n- https://github.com/micromatch/micromatch/blob/2c56a8604b68c1099e7bc0f807ce0865a339747a/index.js#L448\n- https://github.com/micromatch/micromatch/commit/500d5d6f42f0e8dfa1cb5464c6cb420b1b6aaaa0\n- https://github.com/advisories/GHSA-952p-6rrq-rcjv","created":"2024-05-14T18:30:54.000Z","reported_by":null,"title":"Regular Expression Denial of Service (ReDoS) in micromatch","npm_advisory_id":null,"overview":"The NPM package `micromatch` is vulnerable to Regular Expression Denial of Service (ReDoS). The vulnerability occurs in `micromatch.braces()` in `index.js` because the pattern `.*` will greedily match anything. By passing a malicious payload, the pattern matching will keep backtracking to the input while it doesn't find the closing bracket. As the input size increases, the consumption time will also increase until it causes the application to hang or slow down. There was a merged fix but further testing shows the issue persists. This issue should be mitigated by using a safe pattern that won't start backtracking the regular expression due to greedy matching.\n","url":"https://github.com/advisories/GHSA-952p-6rrq-rcjv"}}} +{"type":"auditAdvisory","data":{"resolution":{"id":1098618,"path":"react-scripts>jest>jest-cli>@jest/core>@jest/console>jest-message-util>micromatch","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"4.0.5","paths":["@testing-library/jest-dom>@types/testing-library__jest-dom>@types/jest>expect>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>tailwindcss>fast-glob>micromatch","react-scripts>react-dev-utils>globby>fast-glob>micromatch","eslint-plugin-jest>@typescript-eslint/experimental-utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/parser>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest-resolve>jest-haste-map>micromatch","react-scripts>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>@jest/reporters>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>jest-config>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>jest-snapshot>@jest/transform>jest-haste-map>micromatch"]},{"version":"4.0.5","paths":["react-scripts>babel-jest>@jest/transform>micromatch","react-scripts>jest>@jest/core>@jest/transform>micromatch","react-scripts>jest>@jest/core>@jest/reporters>@jest/transform>micromatch","react-scripts>jest>@jest/core>jest-config>babel-jest>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>babel-jest>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>jest-snapshot>@jest/transform>micromatch"]},{"version":"4.0.5","paths":["react-scripts>eslint-webpack-plugin>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>jest-message-util>micromatch","react-scripts>jest>@jest/core>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/reporters>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/reporters>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/globals>@jest/environment>@jest/fake-timers>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>jest-config>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>micromatch","react-scripts>jest>jest-cli>@jest/core>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest-watch-typeahead>jest-watcher>@jest/test-result>@jest/console>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>tailwindcss>micromatch"]},{"version":"4.0.5","paths":["http-proxy-middleware>micromatch","react-scripts>webpack-dev-server>http-proxy-middleware>micromatch"]},{"version":"4.0.7","paths":["micromatch"]}],"metadata":null,"vulnerable_versions":"<4.0.8","module_name":"micromatch","severity":"moderate","github_advisory_id":"GHSA-952p-6rrq-rcjv","cves":["CVE-2024-4067"],"access":"public","patched_versions":">=4.0.8","cvss":{"score":0,"vectorString":null},"updated":"2024-08-23T17:27:31.000Z","recommendation":"Upgrade to version 4.0.8 or later","cwe":["CWE-1333"],"found_by":null,"deleted":null,"id":1098618,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2024-4067\n- https://github.com/micromatch/micromatch/issues/243\n- https://github.com/micromatch/micromatch/pull/247\n- https://devhub.checkmarx.com/cve-details/CVE-2024-4067\n- https://github.com/micromatch/micromatch/blob/2c56a8604b68c1099e7bc0f807ce0865a339747a/index.js#L448\n- https://github.com/micromatch/micromatch/commit/500d5d6f42f0e8dfa1cb5464c6cb420b1b6aaaa0\n- https://github.com/advisories/GHSA-952p-6rrq-rcjv","created":"2024-05-14T18:30:54.000Z","reported_by":null,"title":"Regular Expression Denial of Service (ReDoS) in micromatch","npm_advisory_id":null,"overview":"The NPM package `micromatch` is vulnerable to Regular Expression Denial of Service (ReDoS). The vulnerability occurs in `micromatch.braces()` in `index.js` because the pattern `.*` will greedily match anything. By passing a malicious payload, the pattern matching will keep backtracking to the input while it doesn't find the closing bracket. As the input size increases, the consumption time will also increase until it causes the application to hang or slow down. There was a merged fix but further testing shows the issue persists. This issue should be mitigated by using a safe pattern that won't start backtracking the regular expression due to greedy matching.\n","url":"https://github.com/advisories/GHSA-952p-6rrq-rcjv"}}} +{"type":"auditAdvisory","data":{"resolution":{"id":1098618,"path":"react-scripts>jest>jest-cli>@jest/core>@jest/reporters>@jest/console>jest-message-util>micromatch","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"4.0.5","paths":["@testing-library/jest-dom>@types/testing-library__jest-dom>@types/jest>expect>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>tailwindcss>fast-glob>micromatch","react-scripts>react-dev-utils>globby>fast-glob>micromatch","eslint-plugin-jest>@typescript-eslint/experimental-utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/parser>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest-resolve>jest-haste-map>micromatch","react-scripts>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>@jest/reporters>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>jest-config>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>jest-snapshot>@jest/transform>jest-haste-map>micromatch"]},{"version":"4.0.5","paths":["react-scripts>babel-jest>@jest/transform>micromatch","react-scripts>jest>@jest/core>@jest/transform>micromatch","react-scripts>jest>@jest/core>@jest/reporters>@jest/transform>micromatch","react-scripts>jest>@jest/core>jest-config>babel-jest>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>babel-jest>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>jest-snapshot>@jest/transform>micromatch"]},{"version":"4.0.5","paths":["react-scripts>eslint-webpack-plugin>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>jest-message-util>micromatch","react-scripts>jest>@jest/core>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/reporters>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/reporters>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/globals>@jest/environment>@jest/fake-timers>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>jest-config>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>micromatch","react-scripts>jest>jest-cli>@jest/core>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest-watch-typeahead>jest-watcher>@jest/test-result>@jest/console>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>tailwindcss>micromatch"]},{"version":"4.0.5","paths":["http-proxy-middleware>micromatch","react-scripts>webpack-dev-server>http-proxy-middleware>micromatch"]},{"version":"4.0.7","paths":["micromatch"]}],"metadata":null,"vulnerable_versions":"<4.0.8","module_name":"micromatch","severity":"moderate","github_advisory_id":"GHSA-952p-6rrq-rcjv","cves":["CVE-2024-4067"],"access":"public","patched_versions":">=4.0.8","cvss":{"score":0,"vectorString":null},"updated":"2024-08-23T17:27:31.000Z","recommendation":"Upgrade to version 4.0.8 or later","cwe":["CWE-1333"],"found_by":null,"deleted":null,"id":1098618,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2024-4067\n- https://github.com/micromatch/micromatch/issues/243\n- https://github.com/micromatch/micromatch/pull/247\n- https://devhub.checkmarx.com/cve-details/CVE-2024-4067\n- https://github.com/micromatch/micromatch/blob/2c56a8604b68c1099e7bc0f807ce0865a339747a/index.js#L448\n- https://github.com/micromatch/micromatch/commit/500d5d6f42f0e8dfa1cb5464c6cb420b1b6aaaa0\n- https://github.com/advisories/GHSA-952p-6rrq-rcjv","created":"2024-05-14T18:30:54.000Z","reported_by":null,"title":"Regular Expression Denial of Service (ReDoS) in micromatch","npm_advisory_id":null,"overview":"The NPM package `micromatch` is vulnerable to Regular Expression Denial of Service (ReDoS). The vulnerability occurs in `micromatch.braces()` in `index.js` because the pattern `.*` will greedily match anything. By passing a malicious payload, the pattern matching will keep backtracking to the input while it doesn't find the closing bracket. As the input size increases, the consumption time will also increase until it causes the application to hang or slow down. There was a merged fix but further testing shows the issue persists. This issue should be mitigated by using a safe pattern that won't start backtracking the regular expression due to greedy matching.\n","url":"https://github.com/advisories/GHSA-952p-6rrq-rcjv"}}} +{"type":"auditAdvisory","data":{"resolution":{"id":1098618,"path":"react-scripts>jest>jest-cli>@jest/core>@jest/reporters>@jest/test-result>@jest/console>jest-message-util>micromatch","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"4.0.5","paths":["@testing-library/jest-dom>@types/testing-library__jest-dom>@types/jest>expect>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>tailwindcss>fast-glob>micromatch","react-scripts>react-dev-utils>globby>fast-glob>micromatch","eslint-plugin-jest>@typescript-eslint/experimental-utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/parser>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest-resolve>jest-haste-map>micromatch","react-scripts>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>@jest/reporters>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>jest-config>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>jest-snapshot>@jest/transform>jest-haste-map>micromatch"]},{"version":"4.0.5","paths":["react-scripts>babel-jest>@jest/transform>micromatch","react-scripts>jest>@jest/core>@jest/transform>micromatch","react-scripts>jest>@jest/core>@jest/reporters>@jest/transform>micromatch","react-scripts>jest>@jest/core>jest-config>babel-jest>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>babel-jest>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>jest-snapshot>@jest/transform>micromatch"]},{"version":"4.0.5","paths":["react-scripts>eslint-webpack-plugin>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>jest-message-util>micromatch","react-scripts>jest>@jest/core>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/reporters>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/reporters>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/globals>@jest/environment>@jest/fake-timers>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>jest-config>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>micromatch","react-scripts>jest>jest-cli>@jest/core>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest-watch-typeahead>jest-watcher>@jest/test-result>@jest/console>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>tailwindcss>micromatch"]},{"version":"4.0.5","paths":["http-proxy-middleware>micromatch","react-scripts>webpack-dev-server>http-proxy-middleware>micromatch"]},{"version":"4.0.7","paths":["micromatch"]}],"metadata":null,"vulnerable_versions":"<4.0.8","module_name":"micromatch","severity":"moderate","github_advisory_id":"GHSA-952p-6rrq-rcjv","cves":["CVE-2024-4067"],"access":"public","patched_versions":">=4.0.8","cvss":{"score":0,"vectorString":null},"updated":"2024-08-23T17:27:31.000Z","recommendation":"Upgrade to version 4.0.8 or later","cwe":["CWE-1333"],"found_by":null,"deleted":null,"id":1098618,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2024-4067\n- https://github.com/micromatch/micromatch/issues/243\n- https://github.com/micromatch/micromatch/pull/247\n- https://devhub.checkmarx.com/cve-details/CVE-2024-4067\n- https://github.com/micromatch/micromatch/blob/2c56a8604b68c1099e7bc0f807ce0865a339747a/index.js#L448\n- https://github.com/micromatch/micromatch/commit/500d5d6f42f0e8dfa1cb5464c6cb420b1b6aaaa0\n- https://github.com/advisories/GHSA-952p-6rrq-rcjv","created":"2024-05-14T18:30:54.000Z","reported_by":null,"title":"Regular Expression Denial of Service (ReDoS) in micromatch","npm_advisory_id":null,"overview":"The NPM package `micromatch` is vulnerable to Regular Expression Denial of Service (ReDoS). The vulnerability occurs in `micromatch.braces()` in `index.js` because the pattern `.*` will greedily match anything. By passing a malicious payload, the pattern matching will keep backtracking to the input while it doesn't find the closing bracket. As the input size increases, the consumption time will also increase until it causes the application to hang or slow down. There was a merged fix but further testing shows the issue persists. This issue should be mitigated by using a safe pattern that won't start backtracking the regular expression due to greedy matching.\n","url":"https://github.com/advisories/GHSA-952p-6rrq-rcjv"}}} +{"type":"auditAdvisory","data":{"resolution":{"id":1098618,"path":"react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>@jest/test-result>@jest/console>jest-message-util>micromatch","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"4.0.5","paths":["@testing-library/jest-dom>@types/testing-library__jest-dom>@types/jest>expect>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>tailwindcss>fast-glob>micromatch","react-scripts>react-dev-utils>globby>fast-glob>micromatch","eslint-plugin-jest>@typescript-eslint/experimental-utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/parser>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest-resolve>jest-haste-map>micromatch","react-scripts>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>@jest/reporters>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>jest-config>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>jest-snapshot>@jest/transform>jest-haste-map>micromatch"]},{"version":"4.0.5","paths":["react-scripts>babel-jest>@jest/transform>micromatch","react-scripts>jest>@jest/core>@jest/transform>micromatch","react-scripts>jest>@jest/core>@jest/reporters>@jest/transform>micromatch","react-scripts>jest>@jest/core>jest-config>babel-jest>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>babel-jest>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>jest-snapshot>@jest/transform>micromatch"]},{"version":"4.0.5","paths":["react-scripts>eslint-webpack-plugin>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>jest-message-util>micromatch","react-scripts>jest>@jest/core>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/reporters>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/reporters>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/globals>@jest/environment>@jest/fake-timers>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>jest-config>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>micromatch","react-scripts>jest>jest-cli>@jest/core>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest-watch-typeahead>jest-watcher>@jest/test-result>@jest/console>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>tailwindcss>micromatch"]},{"version":"4.0.5","paths":["http-proxy-middleware>micromatch","react-scripts>webpack-dev-server>http-proxy-middleware>micromatch"]},{"version":"4.0.7","paths":["micromatch"]}],"metadata":null,"vulnerable_versions":"<4.0.8","module_name":"micromatch","severity":"moderate","github_advisory_id":"GHSA-952p-6rrq-rcjv","cves":["CVE-2024-4067"],"access":"public","patched_versions":">=4.0.8","cvss":{"score":0,"vectorString":null},"updated":"2024-08-23T17:27:31.000Z","recommendation":"Upgrade to version 4.0.8 or later","cwe":["CWE-1333"],"found_by":null,"deleted":null,"id":1098618,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2024-4067\n- https://github.com/micromatch/micromatch/issues/243\n- https://github.com/micromatch/micromatch/pull/247\n- https://devhub.checkmarx.com/cve-details/CVE-2024-4067\n- https://github.com/micromatch/micromatch/blob/2c56a8604b68c1099e7bc0f807ce0865a339747a/index.js#L448\n- https://github.com/micromatch/micromatch/commit/500d5d6f42f0e8dfa1cb5464c6cb420b1b6aaaa0\n- https://github.com/advisories/GHSA-952p-6rrq-rcjv","created":"2024-05-14T18:30:54.000Z","reported_by":null,"title":"Regular Expression Denial of Service (ReDoS) in micromatch","npm_advisory_id":null,"overview":"The NPM package `micromatch` is vulnerable to Regular Expression Denial of Service (ReDoS). The vulnerability occurs in `micromatch.braces()` in `index.js` because the pattern `.*` will greedily match anything. By passing a malicious payload, the pattern matching will keep backtracking to the input while it doesn't find the closing bracket. As the input size increases, the consumption time will also increase until it causes the application to hang or slow down. There was a merged fix but further testing shows the issue persists. This issue should be mitigated by using a safe pattern that won't start backtracking the regular expression due to greedy matching.\n","url":"https://github.com/advisories/GHSA-952p-6rrq-rcjv"}}} +{"type":"auditAdvisory","data":{"resolution":{"id":1098618,"path":"react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/test-result>@jest/console>jest-message-util>micromatch","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"4.0.5","paths":["@testing-library/jest-dom>@types/testing-library__jest-dom>@types/jest>expect>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>tailwindcss>fast-glob>micromatch","react-scripts>react-dev-utils>globby>fast-glob>micromatch","eslint-plugin-jest>@typescript-eslint/experimental-utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/parser>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest-resolve>jest-haste-map>micromatch","react-scripts>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>@jest/reporters>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>jest-config>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>jest-snapshot>@jest/transform>jest-haste-map>micromatch"]},{"version":"4.0.5","paths":["react-scripts>babel-jest>@jest/transform>micromatch","react-scripts>jest>@jest/core>@jest/transform>micromatch","react-scripts>jest>@jest/core>@jest/reporters>@jest/transform>micromatch","react-scripts>jest>@jest/core>jest-config>babel-jest>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>babel-jest>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>jest-snapshot>@jest/transform>micromatch"]},{"version":"4.0.5","paths":["react-scripts>eslint-webpack-plugin>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>jest-message-util>micromatch","react-scripts>jest>@jest/core>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/reporters>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/reporters>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/globals>@jest/environment>@jest/fake-timers>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>jest-config>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>micromatch","react-scripts>jest>jest-cli>@jest/core>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest-watch-typeahead>jest-watcher>@jest/test-result>@jest/console>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>tailwindcss>micromatch"]},{"version":"4.0.5","paths":["http-proxy-middleware>micromatch","react-scripts>webpack-dev-server>http-proxy-middleware>micromatch"]},{"version":"4.0.7","paths":["micromatch"]}],"metadata":null,"vulnerable_versions":"<4.0.8","module_name":"micromatch","severity":"moderate","github_advisory_id":"GHSA-952p-6rrq-rcjv","cves":["CVE-2024-4067"],"access":"public","patched_versions":">=4.0.8","cvss":{"score":0,"vectorString":null},"updated":"2024-08-23T17:27:31.000Z","recommendation":"Upgrade to version 4.0.8 or later","cwe":["CWE-1333"],"found_by":null,"deleted":null,"id":1098618,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2024-4067\n- https://github.com/micromatch/micromatch/issues/243\n- https://github.com/micromatch/micromatch/pull/247\n- https://devhub.checkmarx.com/cve-details/CVE-2024-4067\n- https://github.com/micromatch/micromatch/blob/2c56a8604b68c1099e7bc0f807ce0865a339747a/index.js#L448\n- https://github.com/micromatch/micromatch/commit/500d5d6f42f0e8dfa1cb5464c6cb420b1b6aaaa0\n- https://github.com/advisories/GHSA-952p-6rrq-rcjv","created":"2024-05-14T18:30:54.000Z","reported_by":null,"title":"Regular Expression Denial of Service (ReDoS) in micromatch","npm_advisory_id":null,"overview":"The NPM package `micromatch` is vulnerable to Regular Expression Denial of Service (ReDoS). The vulnerability occurs in `micromatch.braces()` in `index.js` because the pattern `.*` will greedily match anything. By passing a malicious payload, the pattern matching will keep backtracking to the input while it doesn't find the closing bracket. As the input size increases, the consumption time will also increase until it causes the application to hang or slow down. There was a merged fix but further testing shows the issue persists. This issue should be mitigated by using a safe pattern that won't start backtracking the regular expression due to greedy matching.\n","url":"https://github.com/advisories/GHSA-952p-6rrq-rcjv"}}} +{"type":"auditAdvisory","data":{"resolution":{"id":1098618,"path":"react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/globals>@jest/environment>@jest/fake-timers>jest-message-util>micromatch","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"4.0.5","paths":["@testing-library/jest-dom>@types/testing-library__jest-dom>@types/jest>expect>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>tailwindcss>fast-glob>micromatch","react-scripts>react-dev-utils>globby>fast-glob>micromatch","eslint-plugin-jest>@typescript-eslint/experimental-utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/parser>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest-resolve>jest-haste-map>micromatch","react-scripts>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>@jest/reporters>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>jest-config>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>jest-snapshot>@jest/transform>jest-haste-map>micromatch"]},{"version":"4.0.5","paths":["react-scripts>babel-jest>@jest/transform>micromatch","react-scripts>jest>@jest/core>@jest/transform>micromatch","react-scripts>jest>@jest/core>@jest/reporters>@jest/transform>micromatch","react-scripts>jest>@jest/core>jest-config>babel-jest>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>babel-jest>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>jest-snapshot>@jest/transform>micromatch"]},{"version":"4.0.5","paths":["react-scripts>eslint-webpack-plugin>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>jest-message-util>micromatch","react-scripts>jest>@jest/core>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/reporters>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/reporters>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/globals>@jest/environment>@jest/fake-timers>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>jest-config>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>micromatch","react-scripts>jest>jest-cli>@jest/core>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest-watch-typeahead>jest-watcher>@jest/test-result>@jest/console>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>tailwindcss>micromatch"]},{"version":"4.0.5","paths":["http-proxy-middleware>micromatch","react-scripts>webpack-dev-server>http-proxy-middleware>micromatch"]},{"version":"4.0.7","paths":["micromatch"]}],"metadata":null,"vulnerable_versions":"<4.0.8","module_name":"micromatch","severity":"moderate","github_advisory_id":"GHSA-952p-6rrq-rcjv","cves":["CVE-2024-4067"],"access":"public","patched_versions":">=4.0.8","cvss":{"score":0,"vectorString":null},"updated":"2024-08-23T17:27:31.000Z","recommendation":"Upgrade to version 4.0.8 or later","cwe":["CWE-1333"],"found_by":null,"deleted":null,"id":1098618,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2024-4067\n- https://github.com/micromatch/micromatch/issues/243\n- https://github.com/micromatch/micromatch/pull/247\n- https://devhub.checkmarx.com/cve-details/CVE-2024-4067\n- https://github.com/micromatch/micromatch/blob/2c56a8604b68c1099e7bc0f807ce0865a339747a/index.js#L448\n- https://github.com/micromatch/micromatch/commit/500d5d6f42f0e8dfa1cb5464c6cb420b1b6aaaa0\n- https://github.com/advisories/GHSA-952p-6rrq-rcjv","created":"2024-05-14T18:30:54.000Z","reported_by":null,"title":"Regular Expression Denial of Service (ReDoS) in micromatch","npm_advisory_id":null,"overview":"The NPM package `micromatch` is vulnerable to Regular Expression Denial of Service (ReDoS). The vulnerability occurs in `micromatch.braces()` in `index.js` because the pattern `.*` will greedily match anything. By passing a malicious payload, the pattern matching will keep backtracking to the input while it doesn't find the closing bracket. As the input size increases, the consumption time will also increase until it causes the application to hang or slow down. There was a merged fix but further testing shows the issue persists. This issue should be mitigated by using a safe pattern that won't start backtracking the regular expression due to greedy matching.\n","url":"https://github.com/advisories/GHSA-952p-6rrq-rcjv"}}} +{"type":"auditAdvisory","data":{"resolution":{"id":1098618,"path":"react-scripts>jest>@jest/core>jest-config>micromatch","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"4.0.5","paths":["@testing-library/jest-dom>@types/testing-library__jest-dom>@types/jest>expect>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>tailwindcss>fast-glob>micromatch","react-scripts>react-dev-utils>globby>fast-glob>micromatch","eslint-plugin-jest>@typescript-eslint/experimental-utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/parser>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest-resolve>jest-haste-map>micromatch","react-scripts>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>@jest/reporters>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>jest-config>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>jest-snapshot>@jest/transform>jest-haste-map>micromatch"]},{"version":"4.0.5","paths":["react-scripts>babel-jest>@jest/transform>micromatch","react-scripts>jest>@jest/core>@jest/transform>micromatch","react-scripts>jest>@jest/core>@jest/reporters>@jest/transform>micromatch","react-scripts>jest>@jest/core>jest-config>babel-jest>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>babel-jest>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>jest-snapshot>@jest/transform>micromatch"]},{"version":"4.0.5","paths":["react-scripts>eslint-webpack-plugin>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>jest-message-util>micromatch","react-scripts>jest>@jest/core>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/reporters>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/reporters>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/globals>@jest/environment>@jest/fake-timers>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>jest-config>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>micromatch","react-scripts>jest>jest-cli>@jest/core>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest-watch-typeahead>jest-watcher>@jest/test-result>@jest/console>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>tailwindcss>micromatch"]},{"version":"4.0.5","paths":["http-proxy-middleware>micromatch","react-scripts>webpack-dev-server>http-proxy-middleware>micromatch"]},{"version":"4.0.7","paths":["micromatch"]}],"metadata":null,"vulnerable_versions":"<4.0.8","module_name":"micromatch","severity":"moderate","github_advisory_id":"GHSA-952p-6rrq-rcjv","cves":["CVE-2024-4067"],"access":"public","patched_versions":">=4.0.8","cvss":{"score":0,"vectorString":null},"updated":"2024-08-23T17:27:31.000Z","recommendation":"Upgrade to version 4.0.8 or later","cwe":["CWE-1333"],"found_by":null,"deleted":null,"id":1098618,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2024-4067\n- https://github.com/micromatch/micromatch/issues/243\n- https://github.com/micromatch/micromatch/pull/247\n- https://devhub.checkmarx.com/cve-details/CVE-2024-4067\n- https://github.com/micromatch/micromatch/blob/2c56a8604b68c1099e7bc0f807ce0865a339747a/index.js#L448\n- https://github.com/micromatch/micromatch/commit/500d5d6f42f0e8dfa1cb5464c6cb420b1b6aaaa0\n- https://github.com/advisories/GHSA-952p-6rrq-rcjv","created":"2024-05-14T18:30:54.000Z","reported_by":null,"title":"Regular Expression Denial of Service (ReDoS) in micromatch","npm_advisory_id":null,"overview":"The NPM package `micromatch` is vulnerable to Regular Expression Denial of Service (ReDoS). The vulnerability occurs in `micromatch.braces()` in `index.js` because the pattern `.*` will greedily match anything. By passing a malicious payload, the pattern matching will keep backtracking to the input while it doesn't find the closing bracket. As the input size increases, the consumption time will also increase until it causes the application to hang or slow down. There was a merged fix but further testing shows the issue persists. This issue should be mitigated by using a safe pattern that won't start backtracking the regular expression due to greedy matching.\n","url":"https://github.com/advisories/GHSA-952p-6rrq-rcjv"}}} +{"type":"auditAdvisory","data":{"resolution":{"id":1098618,"path":"react-scripts>jest>jest-cli>@jest/core>jest-config>micromatch","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"4.0.5","paths":["@testing-library/jest-dom>@types/testing-library__jest-dom>@types/jest>expect>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>tailwindcss>fast-glob>micromatch","react-scripts>react-dev-utils>globby>fast-glob>micromatch","eslint-plugin-jest>@typescript-eslint/experimental-utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/parser>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest-resolve>jest-haste-map>micromatch","react-scripts>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>@jest/reporters>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>jest-config>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>jest-snapshot>@jest/transform>jest-haste-map>micromatch"]},{"version":"4.0.5","paths":["react-scripts>babel-jest>@jest/transform>micromatch","react-scripts>jest>@jest/core>@jest/transform>micromatch","react-scripts>jest>@jest/core>@jest/reporters>@jest/transform>micromatch","react-scripts>jest>@jest/core>jest-config>babel-jest>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>babel-jest>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>jest-snapshot>@jest/transform>micromatch"]},{"version":"4.0.5","paths":["react-scripts>eslint-webpack-plugin>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>jest-message-util>micromatch","react-scripts>jest>@jest/core>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/reporters>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/reporters>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/globals>@jest/environment>@jest/fake-timers>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>jest-config>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>micromatch","react-scripts>jest>jest-cli>@jest/core>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest-watch-typeahead>jest-watcher>@jest/test-result>@jest/console>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>tailwindcss>micromatch"]},{"version":"4.0.5","paths":["http-proxy-middleware>micromatch","react-scripts>webpack-dev-server>http-proxy-middleware>micromatch"]},{"version":"4.0.7","paths":["micromatch"]}],"metadata":null,"vulnerable_versions":"<4.0.8","module_name":"micromatch","severity":"moderate","github_advisory_id":"GHSA-952p-6rrq-rcjv","cves":["CVE-2024-4067"],"access":"public","patched_versions":">=4.0.8","cvss":{"score":0,"vectorString":null},"updated":"2024-08-23T17:27:31.000Z","recommendation":"Upgrade to version 4.0.8 or later","cwe":["CWE-1333"],"found_by":null,"deleted":null,"id":1098618,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2024-4067\n- https://github.com/micromatch/micromatch/issues/243\n- https://github.com/micromatch/micromatch/pull/247\n- https://devhub.checkmarx.com/cve-details/CVE-2024-4067\n- https://github.com/micromatch/micromatch/blob/2c56a8604b68c1099e7bc0f807ce0865a339747a/index.js#L448\n- https://github.com/micromatch/micromatch/commit/500d5d6f42f0e8dfa1cb5464c6cb420b1b6aaaa0\n- https://github.com/advisories/GHSA-952p-6rrq-rcjv","created":"2024-05-14T18:30:54.000Z","reported_by":null,"title":"Regular Expression Denial of Service (ReDoS) in micromatch","npm_advisory_id":null,"overview":"The NPM package `micromatch` is vulnerable to Regular Expression Denial of Service (ReDoS). The vulnerability occurs in `micromatch.braces()` in `index.js` because the pattern `.*` will greedily match anything. By passing a malicious payload, the pattern matching will keep backtracking to the input while it doesn't find the closing bracket. As the input size increases, the consumption time will also increase until it causes the application to hang or slow down. There was a merged fix but further testing shows the issue persists. This issue should be mitigated by using a safe pattern that won't start backtracking the regular expression due to greedy matching.\n","url":"https://github.com/advisories/GHSA-952p-6rrq-rcjv"}}} +{"type":"auditAdvisory","data":{"resolution":{"id":1098618,"path":"react-scripts>jest>@jest/core>micromatch","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"4.0.5","paths":["@testing-library/jest-dom>@types/testing-library__jest-dom>@types/jest>expect>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>tailwindcss>fast-glob>micromatch","react-scripts>react-dev-utils>globby>fast-glob>micromatch","eslint-plugin-jest>@typescript-eslint/experimental-utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/parser>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest-resolve>jest-haste-map>micromatch","react-scripts>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>@jest/reporters>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>jest-config>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>jest-snapshot>@jest/transform>jest-haste-map>micromatch"]},{"version":"4.0.5","paths":["react-scripts>babel-jest>@jest/transform>micromatch","react-scripts>jest>@jest/core>@jest/transform>micromatch","react-scripts>jest>@jest/core>@jest/reporters>@jest/transform>micromatch","react-scripts>jest>@jest/core>jest-config>babel-jest>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>babel-jest>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>jest-snapshot>@jest/transform>micromatch"]},{"version":"4.0.5","paths":["react-scripts>eslint-webpack-plugin>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>jest-message-util>micromatch","react-scripts>jest>@jest/core>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/reporters>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/reporters>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/globals>@jest/environment>@jest/fake-timers>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>jest-config>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>micromatch","react-scripts>jest>jest-cli>@jest/core>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest-watch-typeahead>jest-watcher>@jest/test-result>@jest/console>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>tailwindcss>micromatch"]},{"version":"4.0.5","paths":["http-proxy-middleware>micromatch","react-scripts>webpack-dev-server>http-proxy-middleware>micromatch"]},{"version":"4.0.7","paths":["micromatch"]}],"metadata":null,"vulnerable_versions":"<4.0.8","module_name":"micromatch","severity":"moderate","github_advisory_id":"GHSA-952p-6rrq-rcjv","cves":["CVE-2024-4067"],"access":"public","patched_versions":">=4.0.8","cvss":{"score":0,"vectorString":null},"updated":"2024-08-23T17:27:31.000Z","recommendation":"Upgrade to version 4.0.8 or later","cwe":["CWE-1333"],"found_by":null,"deleted":null,"id":1098618,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2024-4067\n- https://github.com/micromatch/micromatch/issues/243\n- https://github.com/micromatch/micromatch/pull/247\n- https://devhub.checkmarx.com/cve-details/CVE-2024-4067\n- https://github.com/micromatch/micromatch/blob/2c56a8604b68c1099e7bc0f807ce0865a339747a/index.js#L448\n- https://github.com/micromatch/micromatch/commit/500d5d6f42f0e8dfa1cb5464c6cb420b1b6aaaa0\n- https://github.com/advisories/GHSA-952p-6rrq-rcjv","created":"2024-05-14T18:30:54.000Z","reported_by":null,"title":"Regular Expression Denial of Service (ReDoS) in micromatch","npm_advisory_id":null,"overview":"The NPM package `micromatch` is vulnerable to Regular Expression Denial of Service (ReDoS). The vulnerability occurs in `micromatch.braces()` in `index.js` because the pattern `.*` will greedily match anything. By passing a malicious payload, the pattern matching will keep backtracking to the input while it doesn't find the closing bracket. As the input size increases, the consumption time will also increase until it causes the application to hang or slow down. There was a merged fix but further testing shows the issue persists. This issue should be mitigated by using a safe pattern that won't start backtracking the regular expression due to greedy matching.\n","url":"https://github.com/advisories/GHSA-952p-6rrq-rcjv"}}} +{"type":"auditAdvisory","data":{"resolution":{"id":1098618,"path":"react-scripts>jest>jest-cli>@jest/core>micromatch","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"4.0.5","paths":["@testing-library/jest-dom>@types/testing-library__jest-dom>@types/jest>expect>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>tailwindcss>fast-glob>micromatch","react-scripts>react-dev-utils>globby>fast-glob>micromatch","eslint-plugin-jest>@typescript-eslint/experimental-utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/parser>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest-resolve>jest-haste-map>micromatch","react-scripts>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>@jest/reporters>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>jest-config>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>jest-snapshot>@jest/transform>jest-haste-map>micromatch"]},{"version":"4.0.5","paths":["react-scripts>babel-jest>@jest/transform>micromatch","react-scripts>jest>@jest/core>@jest/transform>micromatch","react-scripts>jest>@jest/core>@jest/reporters>@jest/transform>micromatch","react-scripts>jest>@jest/core>jest-config>babel-jest>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>babel-jest>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>jest-snapshot>@jest/transform>micromatch"]},{"version":"4.0.5","paths":["react-scripts>eslint-webpack-plugin>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>jest-message-util>micromatch","react-scripts>jest>@jest/core>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/reporters>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/reporters>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/globals>@jest/environment>@jest/fake-timers>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>jest-config>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>micromatch","react-scripts>jest>jest-cli>@jest/core>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest-watch-typeahead>jest-watcher>@jest/test-result>@jest/console>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>tailwindcss>micromatch"]},{"version":"4.0.5","paths":["http-proxy-middleware>micromatch","react-scripts>webpack-dev-server>http-proxy-middleware>micromatch"]},{"version":"4.0.7","paths":["micromatch"]}],"metadata":null,"vulnerable_versions":"<4.0.8","module_name":"micromatch","severity":"moderate","github_advisory_id":"GHSA-952p-6rrq-rcjv","cves":["CVE-2024-4067"],"access":"public","patched_versions":">=4.0.8","cvss":{"score":0,"vectorString":null},"updated":"2024-08-23T17:27:31.000Z","recommendation":"Upgrade to version 4.0.8 or later","cwe":["CWE-1333"],"found_by":null,"deleted":null,"id":1098618,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2024-4067\n- https://github.com/micromatch/micromatch/issues/243\n- https://github.com/micromatch/micromatch/pull/247\n- https://devhub.checkmarx.com/cve-details/CVE-2024-4067\n- https://github.com/micromatch/micromatch/blob/2c56a8604b68c1099e7bc0f807ce0865a339747a/index.js#L448\n- https://github.com/micromatch/micromatch/commit/500d5d6f42f0e8dfa1cb5464c6cb420b1b6aaaa0\n- https://github.com/advisories/GHSA-952p-6rrq-rcjv","created":"2024-05-14T18:30:54.000Z","reported_by":null,"title":"Regular Expression Denial of Service (ReDoS) in micromatch","npm_advisory_id":null,"overview":"The NPM package `micromatch` is vulnerable to Regular Expression Denial of Service (ReDoS). The vulnerability occurs in `micromatch.braces()` in `index.js` because the pattern `.*` will greedily match anything. By passing a malicious payload, the pattern matching will keep backtracking to the input while it doesn't find the closing bracket. As the input size increases, the consumption time will also increase until it causes the application to hang or slow down. There was a merged fix but further testing shows the issue persists. This issue should be mitigated by using a safe pattern that won't start backtracking the regular expression due to greedy matching.\n","url":"https://github.com/advisories/GHSA-952p-6rrq-rcjv"}}} +{"type":"auditAdvisory","data":{"resolution":{"id":1098618,"path":"react-scripts>jest-watch-typeahead>jest-watcher>@jest/test-result>@jest/console>jest-message-util>micromatch","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"4.0.5","paths":["@testing-library/jest-dom>@types/testing-library__jest-dom>@types/jest>expect>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>tailwindcss>fast-glob>micromatch","react-scripts>react-dev-utils>globby>fast-glob>micromatch","eslint-plugin-jest>@typescript-eslint/experimental-utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/parser>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest-resolve>jest-haste-map>micromatch","react-scripts>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>@jest/reporters>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>jest-config>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>jest-snapshot>@jest/transform>jest-haste-map>micromatch"]},{"version":"4.0.5","paths":["react-scripts>babel-jest>@jest/transform>micromatch","react-scripts>jest>@jest/core>@jest/transform>micromatch","react-scripts>jest>@jest/core>@jest/reporters>@jest/transform>micromatch","react-scripts>jest>@jest/core>jest-config>babel-jest>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>babel-jest>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>jest-snapshot>@jest/transform>micromatch"]},{"version":"4.0.5","paths":["react-scripts>eslint-webpack-plugin>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>jest-message-util>micromatch","react-scripts>jest>@jest/core>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/reporters>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/reporters>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/globals>@jest/environment>@jest/fake-timers>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>jest-config>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>micromatch","react-scripts>jest>jest-cli>@jest/core>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest-watch-typeahead>jest-watcher>@jest/test-result>@jest/console>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>tailwindcss>micromatch"]},{"version":"4.0.5","paths":["http-proxy-middleware>micromatch","react-scripts>webpack-dev-server>http-proxy-middleware>micromatch"]},{"version":"4.0.7","paths":["micromatch"]}],"metadata":null,"vulnerable_versions":"<4.0.8","module_name":"micromatch","severity":"moderate","github_advisory_id":"GHSA-952p-6rrq-rcjv","cves":["CVE-2024-4067"],"access":"public","patched_versions":">=4.0.8","cvss":{"score":0,"vectorString":null},"updated":"2024-08-23T17:27:31.000Z","recommendation":"Upgrade to version 4.0.8 or later","cwe":["CWE-1333"],"found_by":null,"deleted":null,"id":1098618,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2024-4067\n- https://github.com/micromatch/micromatch/issues/243\n- https://github.com/micromatch/micromatch/pull/247\n- https://devhub.checkmarx.com/cve-details/CVE-2024-4067\n- https://github.com/micromatch/micromatch/blob/2c56a8604b68c1099e7bc0f807ce0865a339747a/index.js#L448\n- https://github.com/micromatch/micromatch/commit/500d5d6f42f0e8dfa1cb5464c6cb420b1b6aaaa0\n- https://github.com/advisories/GHSA-952p-6rrq-rcjv","created":"2024-05-14T18:30:54.000Z","reported_by":null,"title":"Regular Expression Denial of Service (ReDoS) in micromatch","npm_advisory_id":null,"overview":"The NPM package `micromatch` is vulnerable to Regular Expression Denial of Service (ReDoS). The vulnerability occurs in `micromatch.braces()` in `index.js` because the pattern `.*` will greedily match anything. By passing a malicious payload, the pattern matching will keep backtracking to the input while it doesn't find the closing bracket. As the input size increases, the consumption time will also increase until it causes the application to hang or slow down. There was a merged fix but further testing shows the issue persists. This issue should be mitigated by using a safe pattern that won't start backtracking the regular expression due to greedy matching.\n","url":"https://github.com/advisories/GHSA-952p-6rrq-rcjv"}}} +{"type":"auditAdvisory","data":{"resolution":{"id":1098618,"path":"react-scripts>tailwindcss>micromatch","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"4.0.5","paths":["@testing-library/jest-dom>@types/testing-library__jest-dom>@types/jest>expect>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>tailwindcss>fast-glob>micromatch","react-scripts>react-dev-utils>globby>fast-glob>micromatch","eslint-plugin-jest>@typescript-eslint/experimental-utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/parser>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest-resolve>jest-haste-map>micromatch","react-scripts>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>@jest/reporters>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>jest-config>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>jest-snapshot>@jest/transform>jest-haste-map>micromatch"]},{"version":"4.0.5","paths":["react-scripts>babel-jest>@jest/transform>micromatch","react-scripts>jest>@jest/core>@jest/transform>micromatch","react-scripts>jest>@jest/core>@jest/reporters>@jest/transform>micromatch","react-scripts>jest>@jest/core>jest-config>babel-jest>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>babel-jest>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>jest-snapshot>@jest/transform>micromatch"]},{"version":"4.0.5","paths":["react-scripts>eslint-webpack-plugin>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>jest-message-util>micromatch","react-scripts>jest>@jest/core>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/reporters>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/reporters>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/globals>@jest/environment>@jest/fake-timers>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>jest-config>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>micromatch","react-scripts>jest>jest-cli>@jest/core>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest-watch-typeahead>jest-watcher>@jest/test-result>@jest/console>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>tailwindcss>micromatch"]},{"version":"4.0.5","paths":["http-proxy-middleware>micromatch","react-scripts>webpack-dev-server>http-proxy-middleware>micromatch"]},{"version":"4.0.7","paths":["micromatch"]}],"metadata":null,"vulnerable_versions":"<4.0.8","module_name":"micromatch","severity":"moderate","github_advisory_id":"GHSA-952p-6rrq-rcjv","cves":["CVE-2024-4067"],"access":"public","patched_versions":">=4.0.8","cvss":{"score":0,"vectorString":null},"updated":"2024-08-23T17:27:31.000Z","recommendation":"Upgrade to version 4.0.8 or later","cwe":["CWE-1333"],"found_by":null,"deleted":null,"id":1098618,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2024-4067\n- https://github.com/micromatch/micromatch/issues/243\n- https://github.com/micromatch/micromatch/pull/247\n- https://devhub.checkmarx.com/cve-details/CVE-2024-4067\n- https://github.com/micromatch/micromatch/blob/2c56a8604b68c1099e7bc0f807ce0865a339747a/index.js#L448\n- https://github.com/micromatch/micromatch/commit/500d5d6f42f0e8dfa1cb5464c6cb420b1b6aaaa0\n- https://github.com/advisories/GHSA-952p-6rrq-rcjv","created":"2024-05-14T18:30:54.000Z","reported_by":null,"title":"Regular Expression Denial of Service (ReDoS) in micromatch","npm_advisory_id":null,"overview":"The NPM package `micromatch` is vulnerable to Regular Expression Denial of Service (ReDoS). The vulnerability occurs in `micromatch.braces()` in `index.js` because the pattern `.*` will greedily match anything. By passing a malicious payload, the pattern matching will keep backtracking to the input while it doesn't find the closing bracket. As the input size increases, the consumption time will also increase until it causes the application to hang or slow down. There was a merged fix but further testing shows the issue persists. This issue should be mitigated by using a safe pattern that won't start backtracking the regular expression due to greedy matching.\n","url":"https://github.com/advisories/GHSA-952p-6rrq-rcjv"}}} +{"type":"auditAdvisory","data":{"resolution":{"id":1098618,"path":"http-proxy-middleware>micromatch","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"4.0.5","paths":["@testing-library/jest-dom>@types/testing-library__jest-dom>@types/jest>expect>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>tailwindcss>fast-glob>micromatch","react-scripts>react-dev-utils>globby>fast-glob>micromatch","eslint-plugin-jest>@typescript-eslint/experimental-utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/parser>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest-resolve>jest-haste-map>micromatch","react-scripts>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>@jest/reporters>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>jest-config>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>jest-snapshot>@jest/transform>jest-haste-map>micromatch"]},{"version":"4.0.5","paths":["react-scripts>babel-jest>@jest/transform>micromatch","react-scripts>jest>@jest/core>@jest/transform>micromatch","react-scripts>jest>@jest/core>@jest/reporters>@jest/transform>micromatch","react-scripts>jest>@jest/core>jest-config>babel-jest>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>babel-jest>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>jest-snapshot>@jest/transform>micromatch"]},{"version":"4.0.5","paths":["react-scripts>eslint-webpack-plugin>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>jest-message-util>micromatch","react-scripts>jest>@jest/core>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/reporters>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/reporters>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/globals>@jest/environment>@jest/fake-timers>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>jest-config>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>micromatch","react-scripts>jest>jest-cli>@jest/core>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest-watch-typeahead>jest-watcher>@jest/test-result>@jest/console>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>tailwindcss>micromatch"]},{"version":"4.0.5","paths":["http-proxy-middleware>micromatch","react-scripts>webpack-dev-server>http-proxy-middleware>micromatch"]},{"version":"4.0.7","paths":["micromatch"]}],"metadata":null,"vulnerable_versions":"<4.0.8","module_name":"micromatch","severity":"moderate","github_advisory_id":"GHSA-952p-6rrq-rcjv","cves":["CVE-2024-4067"],"access":"public","patched_versions":">=4.0.8","cvss":{"score":0,"vectorString":null},"updated":"2024-08-23T17:27:31.000Z","recommendation":"Upgrade to version 4.0.8 or later","cwe":["CWE-1333"],"found_by":null,"deleted":null,"id":1098618,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2024-4067\n- https://github.com/micromatch/micromatch/issues/243\n- https://github.com/micromatch/micromatch/pull/247\n- https://devhub.checkmarx.com/cve-details/CVE-2024-4067\n- https://github.com/micromatch/micromatch/blob/2c56a8604b68c1099e7bc0f807ce0865a339747a/index.js#L448\n- https://github.com/micromatch/micromatch/commit/500d5d6f42f0e8dfa1cb5464c6cb420b1b6aaaa0\n- https://github.com/advisories/GHSA-952p-6rrq-rcjv","created":"2024-05-14T18:30:54.000Z","reported_by":null,"title":"Regular Expression Denial of Service (ReDoS) in micromatch","npm_advisory_id":null,"overview":"The NPM package `micromatch` is vulnerable to Regular Expression Denial of Service (ReDoS). The vulnerability occurs in `micromatch.braces()` in `index.js` because the pattern `.*` will greedily match anything. By passing a malicious payload, the pattern matching will keep backtracking to the input while it doesn't find the closing bracket. As the input size increases, the consumption time will also increase until it causes the application to hang or slow down. There was a merged fix but further testing shows the issue persists. This issue should be mitigated by using a safe pattern that won't start backtracking the regular expression due to greedy matching.\n","url":"https://github.com/advisories/GHSA-952p-6rrq-rcjv"}}} +{"type":"auditAdvisory","data":{"resolution":{"id":1098618,"path":"react-scripts>webpack-dev-server>http-proxy-middleware>micromatch","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"4.0.5","paths":["@testing-library/jest-dom>@types/testing-library__jest-dom>@types/jest>expect>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>tailwindcss>fast-glob>micromatch","react-scripts>react-dev-utils>globby>fast-glob>micromatch","eslint-plugin-jest>@typescript-eslint/experimental-utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/parser>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest-resolve>jest-haste-map>micromatch","react-scripts>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>@jest/reporters>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>jest-config>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>jest-snapshot>@jest/transform>jest-haste-map>micromatch"]},{"version":"4.0.5","paths":["react-scripts>babel-jest>@jest/transform>micromatch","react-scripts>jest>@jest/core>@jest/transform>micromatch","react-scripts>jest>@jest/core>@jest/reporters>@jest/transform>micromatch","react-scripts>jest>@jest/core>jest-config>babel-jest>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>babel-jest>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>jest-snapshot>@jest/transform>micromatch"]},{"version":"4.0.5","paths":["react-scripts>eslint-webpack-plugin>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>jest-message-util>micromatch","react-scripts>jest>@jest/core>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/reporters>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/reporters>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/globals>@jest/environment>@jest/fake-timers>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>jest-config>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>micromatch","react-scripts>jest>jest-cli>@jest/core>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest-watch-typeahead>jest-watcher>@jest/test-result>@jest/console>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>tailwindcss>micromatch"]},{"version":"4.0.5","paths":["http-proxy-middleware>micromatch","react-scripts>webpack-dev-server>http-proxy-middleware>micromatch"]},{"version":"4.0.7","paths":["micromatch"]}],"metadata":null,"vulnerable_versions":"<4.0.8","module_name":"micromatch","severity":"moderate","github_advisory_id":"GHSA-952p-6rrq-rcjv","cves":["CVE-2024-4067"],"access":"public","patched_versions":">=4.0.8","cvss":{"score":0,"vectorString":null},"updated":"2024-08-23T17:27:31.000Z","recommendation":"Upgrade to version 4.0.8 or later","cwe":["CWE-1333"],"found_by":null,"deleted":null,"id":1098618,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2024-4067\n- https://github.com/micromatch/micromatch/issues/243\n- https://github.com/micromatch/micromatch/pull/247\n- https://devhub.checkmarx.com/cve-details/CVE-2024-4067\n- https://github.com/micromatch/micromatch/blob/2c56a8604b68c1099e7bc0f807ce0865a339747a/index.js#L448\n- https://github.com/micromatch/micromatch/commit/500d5d6f42f0e8dfa1cb5464c6cb420b1b6aaaa0\n- https://github.com/advisories/GHSA-952p-6rrq-rcjv","created":"2024-05-14T18:30:54.000Z","reported_by":null,"title":"Regular Expression Denial of Service (ReDoS) in micromatch","npm_advisory_id":null,"overview":"The NPM package `micromatch` is vulnerable to Regular Expression Denial of Service (ReDoS). The vulnerability occurs in `micromatch.braces()` in `index.js` because the pattern `.*` will greedily match anything. By passing a malicious payload, the pattern matching will keep backtracking to the input while it doesn't find the closing bracket. As the input size increases, the consumption time will also increase until it causes the application to hang or slow down. There was a merged fix but further testing shows the issue persists. This issue should be mitigated by using a safe pattern that won't start backtracking the regular expression due to greedy matching.\n","url":"https://github.com/advisories/GHSA-952p-6rrq-rcjv"}}} +{"type":"auditAdvisory","data":{"resolution":{"id":1098618,"path":"micromatch","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"4.0.5","paths":["@testing-library/jest-dom>@types/testing-library__jest-dom>@types/jest>expect>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>tailwindcss>fast-glob>micromatch","react-scripts>react-dev-utils>globby>fast-glob>micromatch","eslint-plugin-jest>@typescript-eslint/experimental-utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/parser>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest-resolve>jest-haste-map>micromatch","react-scripts>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>@jest/reporters>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>jest-config>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>jest-snapshot>@jest/transform>jest-haste-map>micromatch"]},{"version":"4.0.5","paths":["react-scripts>babel-jest>@jest/transform>micromatch","react-scripts>jest>@jest/core>@jest/transform>micromatch","react-scripts>jest>@jest/core>@jest/reporters>@jest/transform>micromatch","react-scripts>jest>@jest/core>jest-config>babel-jest>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>babel-jest>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>jest-snapshot>@jest/transform>micromatch"]},{"version":"4.0.5","paths":["react-scripts>eslint-webpack-plugin>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>jest-message-util>micromatch","react-scripts>jest>@jest/core>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/reporters>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/reporters>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/globals>@jest/environment>@jest/fake-timers>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>jest-config>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>micromatch","react-scripts>jest>jest-cli>@jest/core>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest-watch-typeahead>jest-watcher>@jest/test-result>@jest/console>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>tailwindcss>micromatch"]},{"version":"4.0.5","paths":["http-proxy-middleware>micromatch","react-scripts>webpack-dev-server>http-proxy-middleware>micromatch"]},{"version":"4.0.7","paths":["micromatch"]}],"metadata":null,"vulnerable_versions":"<4.0.8","module_name":"micromatch","severity":"moderate","github_advisory_id":"GHSA-952p-6rrq-rcjv","cves":["CVE-2024-4067"],"access":"public","patched_versions":">=4.0.8","cvss":{"score":0,"vectorString":null},"updated":"2024-08-23T17:27:31.000Z","recommendation":"Upgrade to version 4.0.8 or later","cwe":["CWE-1333"],"found_by":null,"deleted":null,"id":1098618,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2024-4067\n- https://github.com/micromatch/micromatch/issues/243\n- https://github.com/micromatch/micromatch/pull/247\n- https://devhub.checkmarx.com/cve-details/CVE-2024-4067\n- https://github.com/micromatch/micromatch/blob/2c56a8604b68c1099e7bc0f807ce0865a339747a/index.js#L448\n- https://github.com/micromatch/micromatch/commit/500d5d6f42f0e8dfa1cb5464c6cb420b1b6aaaa0\n- https://github.com/advisories/GHSA-952p-6rrq-rcjv","created":"2024-05-14T18:30:54.000Z","reported_by":null,"title":"Regular Expression Denial of Service (ReDoS) in micromatch","npm_advisory_id":null,"overview":"The NPM package `micromatch` is vulnerable to Regular Expression Denial of Service (ReDoS). The vulnerability occurs in `micromatch.braces()` in `index.js` because the pattern `.*` will greedily match anything. By passing a malicious payload, the pattern matching will keep backtracking to the input while it doesn't find the closing bracket. As the input size increases, the consumption time will also increase until it causes the application to hang or slow down. There was a merged fix but further testing shows the issue persists. This issue should be mitigated by using a safe pattern that won't start backtracking the regular expression due to greedy matching.\n","url":"https://github.com/advisories/GHSA-952p-6rrq-rcjv"}}} From 7c4f329b9771623326e8c3a0a24958da1b9ced59 Mon Sep 17 00:00:00 2001 From: GarrettEHill Date: Fri, 23 Aug 2024 16:14:36 -0700 Subject: [PATCH 042/138] fix formating --- automation/ci/scripts/cf_lambda.sh | 4 ++-- automation/configs/process-backup.env | 8 +++++--- automation/configs/process-restore.env | 8 +++++--- automation/configs/process.env | 6 ++++-- automation/configs/production-backup.env | 8 +++++--- automation/configs/production-restore.env | 8 +++++--- 6 files changed, 26 insertions(+), 16 deletions(-) diff --git a/automation/ci/scripts/cf_lambda.sh b/automation/ci/scripts/cf_lambda.sh index e1daa06844..42382db448 100644 --- a/automation/ci/scripts/cf_lambda.sh +++ b/automation/ci/scripts/cf_lambda.sh @@ -389,7 +389,7 @@ function push_app { source "$config_file" || { log "ERROR" "Failed to load environment config: $config_file"; cd "$original_dir"; exit 1; } # Unbind services and push the app - unbind_all_services "tta-automation" + unbind_all_services # Push the app if ! cf push -f "$manifest_file" --no-route --no-start 2>&1; then @@ -422,7 +422,7 @@ function stop_app { local app_name="tta-automation" # Unbind all services after stopping the app - unbind_all_services "$app_name" + unbind_all_services log "INFO" "Stopping application '$app_name'..." if ! cf stop "$app_name"; then diff --git a/automation/configs/process-backup.env b/automation/configs/process-backup.env index 53135074ef..49e5797492 100644 --- a/automation/configs/process-backup.env +++ b/automation/configs/process-backup.env @@ -1,5 +1,7 @@ -export MEMORY="32M" -export DISK_QUOTA="64M" +export MEMORY=32M +export DISK_QUOTA=64M export BUILDPACK="binary_buildpack" export COMMAND="./cf/scripts/idol.sh" -export SERVICES="- ttahub-process - ttahub-db-backups" + +# Update SERVICES to be properly formatted as a list +export SERVICES="- ttahub-process\n - ttahub-db-backups" diff --git a/automation/configs/process-restore.env b/automation/configs/process-restore.env index 80bdea7907..9d225ad8e9 100644 --- a/automation/configs/process-restore.env +++ b/automation/configs/process-restore.env @@ -1,5 +1,7 @@ -export MEMORY="32M" -export DISK_QUOTA="64M" +export MEMORY=32M +export DISK_QUOTA=64M export BUILDPACK="binary_buildpack" export COMMAND="./cf/scripts/idol.sh" -export SERVICES="- ttahub-db-backups - ttahub-dev - ttahub-sandbox - ttahub-staging" + +# Update SERVICES to be properly formatted as a list +export SERVICES="- ttahub-db-backups\n - ttahub-dev\n - ttahub-sandbox\n - ttahub-staging" diff --git a/automation/configs/process.env b/automation/configs/process.env index 7b6b63247f..b7fc32f78b 100644 --- a/automation/configs/process.env +++ b/automation/configs/process.env @@ -1,5 +1,7 @@ -export MEMORY="512M" -export DISK_QUOTA="1GB" +export MEMORY=512M +export DISK_QUOTA=1GB export BUILDPACK="https://github.com/cloudfoundry/nodejs-buildpack" export COMMAND="find /. -print | sed -e 's;[^/]*/;|____;g;s;____|; |;g'; ./automation/cf/scripts/idol.sh" + +# Update SERVICES to be properly formatted as a list export SERVICES="- ttahub-process" diff --git a/automation/configs/production-backup.env b/automation/configs/production-backup.env index 62b1a2c7a7..f7bb9e3a1e 100644 --- a/automation/configs/production-backup.env +++ b/automation/configs/production-backup.env @@ -1,5 +1,7 @@ -export MEMORY="32M" -export DISK_QUOTA="64M" +export MEMORY=32M +export DISK_QUOTA=64M export BUILDPACK="binary_buildpack" export COMMAND="./cf/scripts/idol.sh" -export SERVICES="- ttahub-prod - ttahub-db-backups" + +# Update SERVICES to be an array-like format +export SERVICES="- ttahub-prod\n - ttahub-db-backups" diff --git a/automation/configs/production-restore.env b/automation/configs/production-restore.env index f746fd7f47..e1f6efb820 100644 --- a/automation/configs/production-restore.env +++ b/automation/configs/production-restore.env @@ -1,5 +1,7 @@ -export MEMORY="32M" -export DISK_QUOTA="64M" +export MEMORY=32M +export DISK_QUOTA=64M export BUILDPACK="binary_buildpack" export COMMAND="./cf/scripts/idol.sh" -export SERVICES="- ttahub-db-backups - ttahub-process" + +# Update SERVICES to be properly formatted as a list +export SERVICES="- ttahub-db-backups\n - ttahub-process" From f7c8a1c68ac5842c0735c4ddf3db6e11f14b9bd0 Mon Sep 17 00:00:00 2001 From: GarrettEHill Date: Fri, 23 Aug 2024 16:23:15 -0700 Subject: [PATCH 043/138] try to get the manifest file to work --- automation/ci/scripts/cf_lambda.sh | 17 ++++++++++++++++- automation/dynamic-manifest.yml | 2 +- 2 files changed, 17 insertions(+), 2 deletions(-) diff --git a/automation/ci/scripts/cf_lambda.sh b/automation/ci/scripts/cf_lambda.sh index 42382db448..035178a3c9 100644 --- a/automation/ci/scripts/cf_lambda.sh +++ b/automation/ci/scripts/cf_lambda.sh @@ -386,20 +386,35 @@ function push_app { exit 1 fi + cat $config_file source "$config_file" || { log "ERROR" "Failed to load environment config: $config_file"; cd "$original_dir"; exit 1; } # Unbind services and push the app unbind_all_services + + # Create a temporary manifest file with the substitutions applied inline + temp_manifest_file=$(mktemp) + envsubst < "$manifest_file" > "$temp_manifest_file" + + cat "$temp_manifest_file" + # Push the app - if ! cf push -f "$manifest_file" --no-route --no-start 2>&1; then + if ! cf push -f "$temp_manifest_file" --no-route --no-start 2>&1; then log "ERROR" "Failed to push application" + + # Clean up the temporary manifest file + rm "$temp_manifest_file" + cd "$original_dir" exit 1 else log "INFO" "Application pushed successfully." fi + # Clean up the temporary manifest file + rm "$temp_manifest_file" + # Restore original directory cd "$original_dir" } diff --git a/automation/dynamic-manifest.yml b/automation/dynamic-manifest.yml index 357025d16f..77a97e53f3 100644 --- a/automation/dynamic-manifest.yml +++ b/automation/dynamic-manifest.yml @@ -11,4 +11,4 @@ applications: - ${BUILDPACK} command: ${COMMAND} services: - ${SERVICES} + - ${SERVICES// /, } From 027629c78159bade10f9e8a74c810e3d1b348d68 Mon Sep 17 00:00:00 2001 From: GarrettEHill Date: Fri, 23 Aug 2024 16:40:27 -0700 Subject: [PATCH 044/138] Update cf_lambda.sh --- automation/ci/scripts/cf_lambda.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/automation/ci/scripts/cf_lambda.sh b/automation/ci/scripts/cf_lambda.sh index 035178a3c9..e9d6e59a3b 100644 --- a/automation/ci/scripts/cf_lambda.sh +++ b/automation/ci/scripts/cf_lambda.sh @@ -395,7 +395,7 @@ function push_app { # Create a temporary manifest file with the substitutions applied inline temp_manifest_file=$(mktemp) - envsubst < "$manifest_file" > "$temp_manifest_file" + envsubst < "$manifest_file" >> "$temp_manifest_file" cat "$temp_manifest_file" From 9eec2f832454f2ebdfc8935511c43c972f63dc4c Mon Sep 17 00:00:00 2001 From: GarrettEHill Date: Fri, 23 Aug 2024 16:48:23 -0700 Subject: [PATCH 045/138] try a different method for BOUND_SERVICES --- automation/configs/process-backup.env | 4 ++-- automation/configs/process-restore.env | 4 ++-- automation/configs/process.env | 4 ++-- automation/configs/production-backup.env | 4 ++-- automation/configs/production-restore.env | 4 ++-- automation/dynamic-manifest.yml | 2 +- 6 files changed, 11 insertions(+), 11 deletions(-) diff --git a/automation/configs/process-backup.env b/automation/configs/process-backup.env index 49e5797492..a07099ac26 100644 --- a/automation/configs/process-backup.env +++ b/automation/configs/process-backup.env @@ -3,5 +3,5 @@ export DISK_QUOTA=64M export BUILDPACK="binary_buildpack" export COMMAND="./cf/scripts/idol.sh" -# Update SERVICES to be properly formatted as a list -export SERVICES="- ttahub-process\n - ttahub-db-backups" +# Update BOUND_SERVICES to be properly formatted as a list +export BOUND_SERVICES="- ttahub-process\n - ttahub-db-backups" diff --git a/automation/configs/process-restore.env b/automation/configs/process-restore.env index 9d225ad8e9..36afcf79e1 100644 --- a/automation/configs/process-restore.env +++ b/automation/configs/process-restore.env @@ -3,5 +3,5 @@ export DISK_QUOTA=64M export BUILDPACK="binary_buildpack" export COMMAND="./cf/scripts/idol.sh" -# Update SERVICES to be properly formatted as a list -export SERVICES="- ttahub-db-backups\n - ttahub-dev\n - ttahub-sandbox\n - ttahub-staging" +# Update BOUND_SERVICES to be properly formatted as a list +export BOUND_SERVICES="- ttahub-db-backups\n - ttahub-dev\n - ttahub-sandbox\n - ttahub-staging" diff --git a/automation/configs/process.env b/automation/configs/process.env index b7fc32f78b..c8dcae7f04 100644 --- a/automation/configs/process.env +++ b/automation/configs/process.env @@ -3,5 +3,5 @@ export DISK_QUOTA=1GB export BUILDPACK="https://github.com/cloudfoundry/nodejs-buildpack" export COMMAND="find /. -print | sed -e 's;[^/]*/;|____;g;s;____|; |;g'; ./automation/cf/scripts/idol.sh" -# Update SERVICES to be properly formatted as a list -export SERVICES="- ttahub-process" +# Update BOUND_SERVICES to be properly formatted as a list +export BOUND_SERVICES="- ttahub-process" diff --git a/automation/configs/production-backup.env b/automation/configs/production-backup.env index f7bb9e3a1e..9e348a2e27 100644 --- a/automation/configs/production-backup.env +++ b/automation/configs/production-backup.env @@ -3,5 +3,5 @@ export DISK_QUOTA=64M export BUILDPACK="binary_buildpack" export COMMAND="./cf/scripts/idol.sh" -# Update SERVICES to be an array-like format -export SERVICES="- ttahub-prod\n - ttahub-db-backups" +# Update BOUND_SERVICES to be an array-like format +export BOUND_SERVICES="- ttahub-prod\n - ttahub-db-backups" diff --git a/automation/configs/production-restore.env b/automation/configs/production-restore.env index e1f6efb820..c49375090d 100644 --- a/automation/configs/production-restore.env +++ b/automation/configs/production-restore.env @@ -3,5 +3,5 @@ export DISK_QUOTA=64M export BUILDPACK="binary_buildpack" export COMMAND="./cf/scripts/idol.sh" -# Update SERVICES to be properly formatted as a list -export SERVICES="- ttahub-db-backups\n - ttahub-process" +# Update BOUND_SERVICES to be properly formatted as a list +export BOUND_SERVICES="- ttahub-db-backups\n - ttahub-process" diff --git a/automation/dynamic-manifest.yml b/automation/dynamic-manifest.yml index 77a97e53f3..ab15a349b8 100644 --- a/automation/dynamic-manifest.yml +++ b/automation/dynamic-manifest.yml @@ -11,4 +11,4 @@ applications: - ${BUILDPACK} command: ${COMMAND} services: - - ${SERVICES// /, } + ${BOUND_SERVICES} From 48c15febf79e4eedc73299d5fe50b74baefada86 Mon Sep 17 00:00:00 2001 From: GarrettEHill Date: Mon, 26 Aug 2024 10:29:58 -0700 Subject: [PATCH 046/138] switch to var_files model --- automation/ci/scripts/cf_lambda.sh | 12 +----------- automation/configs/process-backup.env | 7 ------- automation/configs/process-backup.yml | 10 ++++++++++ automation/configs/process-restore.env | 7 ------- automation/configs/process-restore.yml | 11 +++++++++++ automation/configs/process.env | 7 ------- automation/configs/process.yml | 8 ++++++++ automation/configs/production-backup.env | 7 ------- automation/configs/production-backup.yml | 9 +++++++++ automation/configs/production-restore.env | 7 ------- automation/configs/production-restore.yml | 9 +++++++++ automation/dynamic-manifest.yml | 13 ++++++------- 12 files changed, 54 insertions(+), 53 deletions(-) delete mode 100644 automation/configs/process-backup.env create mode 100644 automation/configs/process-backup.yml delete mode 100644 automation/configs/process-restore.env create mode 100644 automation/configs/process-restore.yml delete mode 100644 automation/configs/process.env create mode 100644 automation/configs/process.yml delete mode 100644 automation/configs/production-backup.env create mode 100644 automation/configs/production-backup.yml delete mode 100644 automation/configs/production-restore.env create mode 100644 automation/configs/production-restore.yml diff --git a/automation/ci/scripts/cf_lambda.sh b/automation/ci/scripts/cf_lambda.sh index e9d6e59a3b..c15c303199 100644 --- a/automation/ci/scripts/cf_lambda.sh +++ b/automation/ci/scripts/cf_lambda.sh @@ -386,21 +386,11 @@ function push_app { exit 1 fi - cat $config_file - source "$config_file" || { log "ERROR" "Failed to load environment config: $config_file"; cd "$original_dir"; exit 1; } - # Unbind services and push the app unbind_all_services - - # Create a temporary manifest file with the substitutions applied inline - temp_manifest_file=$(mktemp) - envsubst < "$manifest_file" >> "$temp_manifest_file" - - cat "$temp_manifest_file" - # Push the app - if ! cf push -f "$temp_manifest_file" --no-route --no-start 2>&1; then + if ! cf push -f "$manifest_file" --vars-file "$config_file" --no-route --no-start 2>&1; then log "ERROR" "Failed to push application" # Clean up the temporary manifest file diff --git a/automation/configs/process-backup.env b/automation/configs/process-backup.env deleted file mode 100644 index a07099ac26..0000000000 --- a/automation/configs/process-backup.env +++ /dev/null @@ -1,7 +0,0 @@ -export MEMORY=32M -export DISK_QUOTA=64M -export BUILDPACK="binary_buildpack" -export COMMAND="./cf/scripts/idol.sh" - -# Update BOUND_SERVICES to be properly formatted as a list -export BOUND_SERVICES="- ttahub-process\n - ttahub-db-backups" diff --git a/automation/configs/process-backup.yml b/automation/configs/process-backup.yml new file mode 100644 index 0000000000..5f58a7afc8 --- /dev/null +++ b/automation/configs/process-backup.yml @@ -0,0 +1,10 @@ +instances: 1 +memory: 32M +disk_quota: 64M + +buildpack: "binary_buildpack" +command: "./cf/scripts/idol.sh" + +bound_services: + - ttahub-process + - ttahub-db-backups diff --git a/automation/configs/process-restore.env b/automation/configs/process-restore.env deleted file mode 100644 index 36afcf79e1..0000000000 --- a/automation/configs/process-restore.env +++ /dev/null @@ -1,7 +0,0 @@ -export MEMORY=32M -export DISK_QUOTA=64M -export BUILDPACK="binary_buildpack" -export COMMAND="./cf/scripts/idol.sh" - -# Update BOUND_SERVICES to be properly formatted as a list -export BOUND_SERVICES="- ttahub-db-backups\n - ttahub-dev\n - ttahub-sandbox\n - ttahub-staging" diff --git a/automation/configs/process-restore.yml b/automation/configs/process-restore.yml new file mode 100644 index 0000000000..97afb1b58c --- /dev/null +++ b/automation/configs/process-restore.yml @@ -0,0 +1,11 @@ +memory: 32M +disk_quota: 64M + +buildpack: "binary_buildpack" +command: "./cf/scripts/idol.sh" + +bound_services: + - ttahub-db-backups + - ttahub-dev + - ttahub-sandbox + - ttahub-staging diff --git a/automation/configs/process.env b/automation/configs/process.env deleted file mode 100644 index c8dcae7f04..0000000000 --- a/automation/configs/process.env +++ /dev/null @@ -1,7 +0,0 @@ -export MEMORY=512M -export DISK_QUOTA=1GB -export BUILDPACK="https://github.com/cloudfoundry/nodejs-buildpack" -export COMMAND="find /. -print | sed -e 's;[^/]*/;|____;g;s;____|; |;g'; ./automation/cf/scripts/idol.sh" - -# Update BOUND_SERVICES to be properly formatted as a list -export BOUND_SERVICES="- ttahub-process" diff --git a/automation/configs/process.yml b/automation/configs/process.yml new file mode 100644 index 0000000000..c015d298df --- /dev/null +++ b/automation/configs/process.yml @@ -0,0 +1,8 @@ +memory: 512M +disk_quota: 1GB + +buildpack: "https://github.com/cloudfoundry/nodejs-buildpack" +command: "find /. -print | sed -e 's;[^/]*/;|____;g;s;____|; |;g'; ./automation/cf/scripts/idol.sh" + +bound_services: + - ttahub-process diff --git a/automation/configs/production-backup.env b/automation/configs/production-backup.env deleted file mode 100644 index 9e348a2e27..0000000000 --- a/automation/configs/production-backup.env +++ /dev/null @@ -1,7 +0,0 @@ -export MEMORY=32M -export DISK_QUOTA=64M -export BUILDPACK="binary_buildpack" -export COMMAND="./cf/scripts/idol.sh" - -# Update BOUND_SERVICES to be an array-like format -export BOUND_SERVICES="- ttahub-prod\n - ttahub-db-backups" diff --git a/automation/configs/production-backup.yml b/automation/configs/production-backup.yml new file mode 100644 index 0000000000..4bba44a623 --- /dev/null +++ b/automation/configs/production-backup.yml @@ -0,0 +1,9 @@ +memory: 32M +disk_quota: 64M + +buildpack: "binary_buildpack" +command: "./cf/scripts/idol.sh" + +bound_services: + - ttahub-prod + - ttahub-db-backups diff --git a/automation/configs/production-restore.env b/automation/configs/production-restore.env deleted file mode 100644 index c49375090d..0000000000 --- a/automation/configs/production-restore.env +++ /dev/null @@ -1,7 +0,0 @@ -export MEMORY=32M -export DISK_QUOTA=64M -export BUILDPACK="binary_buildpack" -export COMMAND="./cf/scripts/idol.sh" - -# Update BOUND_SERVICES to be properly formatted as a list -export BOUND_SERVICES="- ttahub-db-backups\n - ttahub-process" diff --git a/automation/configs/production-restore.yml b/automation/configs/production-restore.yml new file mode 100644 index 0000000000..9419938783 --- /dev/null +++ b/automation/configs/production-restore.yml @@ -0,0 +1,9 @@ +memory: 32M +disk_quota: 64M + +buildpack: "binary_buildpack" +command: "./cf/scripts/idol.sh" + +bound_services: + - ttahub-db-backups + - ttahub-process diff --git a/automation/dynamic-manifest.yml b/automation/dynamic-manifest.yml index ab15a349b8..89f0358152 100644 --- a/automation/dynamic-manifest.yml +++ b/automation/dynamic-manifest.yml @@ -3,12 +3,11 @@ applications: - name: tta-automation stack: cflinuxfs4 health-check-type: process - memory: ${MEMORY} - disk_quota: ${DISK_QUOTA} - instances: 1 + memory: ((memory)) + disk_quota: ((disk_quota)) + instances: ((instances)) no-route: true buildpacks: - - ${BUILDPACK} - command: ${COMMAND} - services: - ${BOUND_SERVICES} + - ((buildpack)) + command: ((command)) + services: ((bound_services)) From ca352a7686fb97bc6d0c3552b7f6027e69d6c7c7 Mon Sep 17 00:00:00 2001 From: GarrettEHill Date: Mon, 26 Aug 2024 10:50:12 -0700 Subject: [PATCH 047/138] Update cf_lambda.sh --- automation/ci/scripts/cf_lambda.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/automation/ci/scripts/cf_lambda.sh b/automation/ci/scripts/cf_lambda.sh index c15c303199..c983832009 100644 --- a/automation/ci/scripts/cf_lambda.sh +++ b/automation/ci/scripts/cf_lambda.sh @@ -378,7 +378,7 @@ function push_app { fi # Load the environment from the config file relative to the manifest directory - local config_file="$(dirname "$manifest_file")/configs/${config}.env" + local config_file="$(dirname "$manifest_file")/configs/${config}.yml" if [ ! -f "$config_file" ]; then log "ERROR" "Config file $config_file not found" From 4d09a3a52261a953056b31ea055f989505d8760f Mon Sep 17 00:00:00 2001 From: GarrettEHill Date: Mon, 26 Aug 2024 10:57:13 -0700 Subject: [PATCH 048/138] missing values --- automation/ci/scripts/cf_lambda.sh | 6 ------ automation/configs/process-restore.yml | 1 + automation/configs/process.yml | 1 + automation/configs/production-backup.yml | 1 + automation/configs/production-restore.yml | 1 + 5 files changed, 4 insertions(+), 6 deletions(-) diff --git a/automation/ci/scripts/cf_lambda.sh b/automation/ci/scripts/cf_lambda.sh index c983832009..cac3da1c01 100644 --- a/automation/ci/scripts/cf_lambda.sh +++ b/automation/ci/scripts/cf_lambda.sh @@ -393,18 +393,12 @@ function push_app { if ! cf push -f "$manifest_file" --vars-file "$config_file" --no-route --no-start 2>&1; then log "ERROR" "Failed to push application" - # Clean up the temporary manifest file - rm "$temp_manifest_file" - cd "$original_dir" exit 1 else log "INFO" "Application pushed successfully." fi - # Clean up the temporary manifest file - rm "$temp_manifest_file" - # Restore original directory cd "$original_dir" } diff --git a/automation/configs/process-restore.yml b/automation/configs/process-restore.yml index 97afb1b58c..644686c3a9 100644 --- a/automation/configs/process-restore.yml +++ b/automation/configs/process-restore.yml @@ -1,3 +1,4 @@ +instances: 1 memory: 32M disk_quota: 64M diff --git a/automation/configs/process.yml b/automation/configs/process.yml index c015d298df..672325913f 100644 --- a/automation/configs/process.yml +++ b/automation/configs/process.yml @@ -1,3 +1,4 @@ +instances: 1 memory: 512M disk_quota: 1GB diff --git a/automation/configs/production-backup.yml b/automation/configs/production-backup.yml index 4bba44a623..8e19a6c61e 100644 --- a/automation/configs/production-backup.yml +++ b/automation/configs/production-backup.yml @@ -1,3 +1,4 @@ +instances: 1 memory: 32M disk_quota: 64M diff --git a/automation/configs/production-restore.yml b/automation/configs/production-restore.yml index 9419938783..97437857ab 100644 --- a/automation/configs/production-restore.yml +++ b/automation/configs/production-restore.yml @@ -1,3 +1,4 @@ +instances: 1 memory: 32M disk_quota: 64M From 8a82bb312067cd539fd0f2aa0cd5a4adcefb9f30 Mon Sep 17 00:00:00 2001 From: GarrettEHill Date: Mon, 26 Aug 2024 11:12:02 -0700 Subject: [PATCH 049/138] Update config.yml --- .circleci/config.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.circleci/config.yml b/.circleci/config.yml index b7c0196619..640cb7c226 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -540,7 +540,7 @@ commands: cloudgov_password: << parameters.cloudgov_password >> cloudgov_space: << parameters.cloudgov_space >> task_name: "backup" - task_command: "cd ./app/db-backup/scripts; bash ./db_backup.sh" + task_command: "cd /home/vcap/app/db-backup/scripts; bash ./db_backup.sh" task_args: '["<< parameters.backup_prefix >>", "<< parameters.rds_service_name >>", "<< parameters.s3_service_name >>"]' config: "<< parameters.backup_prefix >>-backup" success_message: ':download::database: "<< parameters.backup_prefix >>" backup' @@ -568,7 +568,7 @@ commands: cloudgov_password: << parameters.cloudgov_password >> cloudgov_space: << parameters.cloudgov_space >> task_name: "restore" - task_command: "cd ./app/db-backup/scripts; bash ./db_restore.sh" + task_command: "cd /home/vcap/app/db-backup/scripts; bash ./db_restore.sh" task_args: '["<< parameters.backup_prefix >>", "<< parameters.rds_service_name >>", "<< parameters.s3_service_name >>"]' config: "<< parameters.backup_prefix >>-restore" success_message: ':database: "<< parameters.backup_prefix >>" Restored to "<< parameters.rds_service_name >>"' From 457ab01578897175396f50849c83645fd133b720 Mon Sep 17 00:00:00 2001 From: GarrettEHill Date: Mon, 26 Aug 2024 11:23:07 -0700 Subject: [PATCH 050/138] old package no longer available --- automation/common/scripts/postgrescli_install.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/automation/common/scripts/postgrescli_install.sh b/automation/common/scripts/postgrescli_install.sh index ca99c7b76d..a056c01097 100644 --- a/automation/common/scripts/postgrescli_install.sh +++ b/automation/common/scripts/postgrescli_install.sh @@ -221,9 +221,9 @@ function cleanup() { # Main function to control workflow function main() { - local deb_url="http://security.debian.org/debian-security/pool/updates/main/p/postgresql-15/postgresql-client-15_15.6-0+deb12u1_amd64.deb" + local deb_url="https://security.debian.org/debian-security/pool/updates/main/p/postgresql-15/postgresql-client-15_15.8-0+deb12u1_amd64.deb" local deb_file="/tmp/postgresql.deb" - local deb_sha256="f601421f0f075c78df0ee289fbe075f38f52d08362ff2907d1710c26d5e53c39" + local deb_sha256="e88cfe7aa8548f8461dcbd56f69a1bb365affcd380469f705aca697fc2146994" local bin_dir="/tmp/local/bin" local tools=("pg_dump" "pg_isready" "pg_restore" "psql" "reindexdb" "vacuumdb") From ad8aa579fca4b04ad3c04632b1bcf4c205ae7b4b Mon Sep 17 00:00:00 2001 From: GarrettEHill Date: Mon, 26 Aug 2024 15:27:32 -0700 Subject: [PATCH 051/138] Update config.yml --- .circleci/config.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.circleci/config.yml b/.circleci/config.yml index 640cb7c226..d87d636ea4 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -587,7 +587,7 @@ commands: cloudgov_password: << parameters.cloudgov_password >> cloudgov_space: << parameters.cloudgov_space >> task_name: "process" - task_command: "yarn processData:local" + task_command: "node ./build/server/src/tools/processDataCLI.js" task_args: '{}' config: "process" success_message: ':database: Restored data processed' From da468945bfc656e69b5b307cbebe82b565d614a6 Mon Sep 17 00:00:00 2001 From: GarrettEHill Date: Mon, 26 Aug 2024 16:33:22 -0700 Subject: [PATCH 052/138] make a method to run commands within the lifecycle shell as a task --- .circleci/config.yml | 4 ++-- automation/nodejs/scripts/run.sh | 15 +++++++++++++++ 2 files changed, 17 insertions(+), 2 deletions(-) create mode 100644 automation/nodejs/scripts/run.sh diff --git a/.circleci/config.yml b/.circleci/config.yml index d87d636ea4..d65eb3b832 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -587,8 +587,8 @@ commands: cloudgov_password: << parameters.cloudgov_password >> cloudgov_space: << parameters.cloudgov_space >> task_name: "process" - task_command: "node ./build/server/src/tools/processDataCLI.js" - task_args: '{}' + task_command: "cd /home/vcap/app/nodejs/scripts; bash ./run.sh" + task_args: '["./build/server/src/tools/processDataCLI.js"]' config: "process" success_message: ':database: Restored data processed' directory: "./" diff --git a/automation/nodejs/scripts/run.sh b/automation/nodejs/scripts/run.sh new file mode 100644 index 0000000000..f7950fd843 --- /dev/null +++ b/automation/nodejs/scripts/run.sh @@ -0,0 +1,15 @@ +#!/bin/bash + +# Check if an argument is passed +if [ -z "$1" ]; then + echo "Error: No path to the JavaScript file provided." + echo "Usage: ./run_process_data.sh " + exit 1 +fi + +JS_FILE_PATH=$1 + +/tmp/lifecycle/shell < Date: Mon, 26 Aug 2024 17:08:49 -0700 Subject: [PATCH 053/138] another test --- automation/configs/process.yml | 2 +- automation/nodejs/scripts/run.sh | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/automation/configs/process.yml b/automation/configs/process.yml index 672325913f..f0cda6416f 100644 --- a/automation/configs/process.yml +++ b/automation/configs/process.yml @@ -3,7 +3,7 @@ memory: 512M disk_quota: 1GB buildpack: "https://github.com/cloudfoundry/nodejs-buildpack" -command: "find /. -print | sed -e 's;[^/]*/;|____;g;s;____|; |;g'; ./automation/cf/scripts/idol.sh" +command: "./automation/cf/scripts/idol.sh" bound_services: - ttahub-process diff --git a/automation/nodejs/scripts/run.sh b/automation/nodejs/scripts/run.sh index f7950fd843..5217b100cb 100644 --- a/automation/nodejs/scripts/run.sh +++ b/automation/nodejs/scripts/run.sh @@ -1,4 +1,4 @@ -#!/bin/bash +#!/bin/bash -x # Check if an argument is passed if [ -z "$1" ]; then From 2c8f781be4668f2d594bf4880f9da4afb1f1221a Mon Sep 17 00:00:00 2001 From: GarrettEHill Date: Mon, 26 Aug 2024 17:34:26 -0700 Subject: [PATCH 054/138] Update config.yml --- .circleci/config.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.circleci/config.yml b/.circleci/config.yml index d65eb3b832..021b52ec87 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -587,7 +587,7 @@ commands: cloudgov_password: << parameters.cloudgov_password >> cloudgov_space: << parameters.cloudgov_space >> task_name: "process" - task_command: "cd /home/vcap/app/nodejs/scripts; bash ./run.sh" + task_command: "cd /home/vcap/app/automation/nodejs/scripts; bash ./run.sh" task_args: '["./build/server/src/tools/processDataCLI.js"]' config: "process" success_message: ':database: Restored data processed' From e19a38ae2323306c4e687df9323a5ad9108db2ce Mon Sep 17 00:00:00 2001 From: GarrettEHill Date: Mon, 26 Aug 2024 17:51:09 -0700 Subject: [PATCH 055/138] Update run.sh --- automation/nodejs/scripts/run.sh | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/automation/nodejs/scripts/run.sh b/automation/nodejs/scripts/run.sh index 5217b100cb..4946d8340f 100644 --- a/automation/nodejs/scripts/run.sh +++ b/automation/nodejs/scripts/run.sh @@ -7,9 +7,15 @@ if [ -z "$1" ]; then exit 1 fi +# Change to the application directory +cd /home/vcap/app || exit + JS_FILE_PATH=$1 /tmp/lifecycle/shell <&2 From 793373de2e1d01bb4a2c33a942c8b4b855ef5dc3 Mon Sep 17 00:00:00 2001 From: GarrettEHill Date: Mon, 26 Aug 2024 20:45:07 -0700 Subject: [PATCH 056/138] Update run.sh --- automation/nodejs/scripts/run.sh | 15 ++++++++++++--- 1 file changed, 12 insertions(+), 3 deletions(-) diff --git a/automation/nodejs/scripts/run.sh b/automation/nodejs/scripts/run.sh index 4946d8340f..5a06acbc73 100644 --- a/automation/nodejs/scripts/run.sh +++ b/automation/nodejs/scripts/run.sh @@ -10,12 +10,21 @@ fi # Change to the application directory cd /home/vcap/app || exit -JS_FILE_PATH=$1 +echo "Current directory:" $(pwd) >&2 +echo "JS File Path:" $1 >&2 +echo "Contents of directory:" >&2 +ls -al >&2 +# Run the lifecycle shell and capture the exit code /tmp/lifecycle/shell <&2 +echo "Shell exited with code $SHELL_EXIT_CODE" >&2 + +# Exit the script with the same exit code +exit $SHELL_EXIT_CODE From ec8df6f9e8e976092776766cacd072e9322629d7 Mon Sep 17 00:00:00 2001 From: GarrettEHill Date: Mon, 26 Aug 2024 21:01:46 -0700 Subject: [PATCH 057/138] Update config.yml --- .circleci/config.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.circleci/config.yml b/.circleci/config.yml index 021b52ec87..e9082e59c6 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -588,7 +588,7 @@ commands: cloudgov_space: << parameters.cloudgov_space >> task_name: "process" task_command: "cd /home/vcap/app/automation/nodejs/scripts; bash ./run.sh" - task_args: '["./build/server/src/tools/processDataCLI.js"]' + task_args: '["/home/vcap/app/build/server/src/tools/processDataCLI.js"]' config: "process" success_message: ':database: Restored data processed' directory: "./" From d86366f3b7be9cdf85365d7c982aefe98f7c4ede Mon Sep 17 00:00:00 2001 From: GarrettEHill Date: Tue, 27 Aug 2024 09:47:09 -0700 Subject: [PATCH 058/138] another test --- automation/nodejs/scripts/run.sh | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/automation/nodejs/scripts/run.sh b/automation/nodejs/scripts/run.sh index 5a06acbc73..0b6810275d 100644 --- a/automation/nodejs/scripts/run.sh +++ b/automation/nodejs/scripts/run.sh @@ -17,7 +17,15 @@ ls -al >&2 # Run the lifecycle shell and capture the exit code /tmp/lifecycle/shell <&2 + +# Ensure Node.js is in the PATH or specify the full path if needed +export PATH="/home/vcap/app/.heroku/node/bin:$PATH" + +# Run the Node.js script node $1 EOF From fecc9588a0251d0cd831c422d298211d585a0f88 Mon Sep 17 00:00:00 2001 From: GarrettEHill Date: Tue, 27 Aug 2024 11:47:59 -0700 Subject: [PATCH 059/138] Update run.sh --- automation/nodejs/scripts/run.sh | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/automation/nodejs/scripts/run.sh b/automation/nodejs/scripts/run.sh index 0b6810275d..01fa8e4ae8 100644 --- a/automation/nodejs/scripts/run.sh +++ b/automation/nodejs/scripts/run.sh @@ -20,11 +20,22 @@ ls -al >&2 # Inside the lifecycle environment # Print environment variables for debugging +echo "Environment variables:" >&2 printenv >&2 # Ensure Node.js is in the PATH or specify the full path if needed export PATH="/home/vcap/app/.heroku/node/bin:$PATH" +# Set the app directory environment variable (if required) +export APP_DIR="/home/vcap/app" + +# Set the working directory explicitly +cd /home/vcap/app + +# Check Node.js version +echo "Node.js version:" >&2 +node -v >&2 + # Run the Node.js script node $1 EOF From af989ecad32504f8438fa121843a92f10b50d7b2 Mon Sep 17 00:00:00 2001 From: GarrettEHill Date: Tue, 27 Aug 2024 13:50:54 -0700 Subject: [PATCH 060/138] Update run.sh --- automation/nodejs/scripts/run.sh | 27 ++++----------------------- 1 file changed, 4 insertions(+), 23 deletions(-) diff --git a/automation/nodejs/scripts/run.sh b/automation/nodejs/scripts/run.sh index 01fa8e4ae8..4ec852ed4c 100644 --- a/automation/nodejs/scripts/run.sh +++ b/automation/nodejs/scripts/run.sh @@ -15,35 +15,16 @@ echo "JS File Path:" $1 >&2 echo "Contents of directory:" >&2 ls -al >&2 -# Run the lifecycle shell and capture the exit code -/tmp/lifecycle/shell <&2 -printenv >&2 - -# Ensure Node.js is in the PATH or specify the full path if needed -export PATH="/home/vcap/app/.heroku/node/bin:$PATH" - -# Set the app directory environment variable (if required) -export APP_DIR="/home/vcap/app" - -# Set the working directory explicitly -cd /home/vcap/app - -# Check Node.js version -echo "Node.js version:" >&2 -node -v >&2 +# Set the PATH from the lifecycle environment +export PATH=/home/vcap/deps/0/bin:/bin:/usr/bin:/home/vcap/app/bin:/home/vcap/app/node_modules/.bin # Run the Node.js script node $1 -EOF -# Capture the exit code of the shell command +# Capture the exit code of the Node.js command SHELL_EXIT_CODE=$? -echo "Shell exited with code $SHELL_EXIT_CODE" >&2 +echo "Script exited with code $SHELL_EXIT_CODE" >&2 # Exit the script with the same exit code exit $SHELL_EXIT_CODE From 8f8dbba9c25bfe57ebfb4c57c66eb610f4dc2e08 Mon Sep 17 00:00:00 2001 From: GarrettEHill Date: Tue, 27 Aug 2024 14:21:35 -0700 Subject: [PATCH 061/138] Update process.yml --- automation/configs/process.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/automation/configs/process.yml b/automation/configs/process.yml index f0cda6416f..b242cb10de 100644 --- a/automation/configs/process.yml +++ b/automation/configs/process.yml @@ -6,4 +6,5 @@ buildpack: "https://github.com/cloudfoundry/nodejs-buildpack" command: "./automation/cf/scripts/idol.sh" bound_services: + - ttahub-db-backups # only needed to have an s3 for shared libraries to run correctly - ttahub-process From 615fac776f726dd11d31172e2c7676b4d2ef5667 Mon Sep 17 00:00:00 2001 From: GarrettEHill Date: Tue, 27 Aug 2024 14:38:21 -0700 Subject: [PATCH 062/138] Update process.yml --- automation/configs/process.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/automation/configs/process.yml b/automation/configs/process.yml index b242cb10de..f8386862cf 100644 --- a/automation/configs/process.yml +++ b/automation/configs/process.yml @@ -7,4 +7,5 @@ command: "./automation/cf/scripts/idol.sh" bound_services: - ttahub-db-backups # only needed to have an s3 for shared libraries to run correctly + - ttahub-redis-prod # only needed to have an queue for shared libraries to run correctly - ttahub-process From 3f778cdd084596e1230f9937768df6f31afb1846 Mon Sep 17 00:00:00 2001 From: GarrettEHill Date: Tue, 27 Aug 2024 14:55:36 -0700 Subject: [PATCH 063/138] change needed to not require redis if no redis service is in env --- src/lib/queue.js | 28 +++++++++++++++++++++------- 1 file changed, 21 insertions(+), 7 deletions(-) diff --git a/src/lib/queue.js b/src/lib/queue.js index b4b3721520..328ab35508 100644 --- a/src/lib/queue.js +++ b/src/lib/queue.js @@ -43,15 +43,29 @@ const generateRedisConfig = (enableRateLimiter = false) => { return redisSettings; } - const { REDIS_HOST: host, REDIS_PASS: password } = process.env; + + // Check for the presence of Redis-related environment variables + const { REDIS_HOST, REDIS_PASS, REDIS_PORT } = process.env; + + if (REDIS_HOST && REDIS_PASS) { + return { + host: REDIS_HOST, + uri: `redis://:${REDIS_PASS}@${REDIS_HOST}:${REDIS_PORT || 6379}`, + port: REDIS_PORT || 6379, + tlsEnabled: false, + redisOpts: { + redis: { password: REDIS_PASS }, + }, + }; + } + + // Return a minimal configuration if Redis is not configured return { - host, - uri: `redis://:${password}@${host}:${process.env.REDIS_PORT || 6379}`, - port: (process.env.REDIS_PORT || 6379), + host: null, + uri: null, + port: null, tlsEnabled: false, - redisOpts: { - redis: { password }, - }, + redisOpts: {}, }; }; From 37f3c24e7af9decd35d86d2e78dfc2a3d0995342 Mon Sep 17 00:00:00 2001 From: GarrettEHill Date: Tue, 27 Aug 2024 14:56:02 -0700 Subject: [PATCH 064/138] change to not require s3 if there is no s3 in the env --- src/lib/s3.js | 48 ++++++++++++++++++++++++++++++++++++++---------- 1 file changed, 38 insertions(+), 10 deletions(-) diff --git a/src/lib/s3.js b/src/lib/s3.js index 44b3bfe2db..0f078626f9 100644 --- a/src/lib/s3.js +++ b/src/lib/s3.js @@ -2,7 +2,7 @@ import { S3 } from 'aws-sdk'; import { auditLogger } from '../logger'; const generateS3Config = () => { - // take configuration from cloud.gov if it is available. If not, use env variables. + // Take configuration from cloud.gov if it is available. If not, use env variables. if (process.env.VCAP_SERVICES) { const { credentials } = JSON.parse(process.env.VCAP_SERVICES).s3[0]; return { @@ -17,22 +17,37 @@ const generateS3Config = () => { }, }; } + + // Check for the presence of S3-related environment variables + const { S3_BUCKET, AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, S3_ENDPOINT } = process.env; + + if (S3_BUCKET && AWS_ACCESS_KEY_ID && AWS_SECRET_ACCESS_KEY) { + return { + bucketName: S3_BUCKET, + s3Config: { + accessKeyId: AWS_ACCESS_KEY_ID, + endpoint: S3_ENDPOINT, + secretAccessKey: AWS_SECRET_ACCESS_KEY, + signatureVersion: 'v4', + s3ForcePathStyle: true, + }, + }; + } + + // Return null if S3 is not configured return { - bucketName: process.env.S3_BUCKET, - s3Config: { - accessKeyId: process.env.AWS_ACCESS_KEY_ID, - endpoint: process.env.S3_ENDPOINT, - secretAccessKey: process.env.AWS_SECRET_ACCESS_KEY, - signatureVersion: 'v4', - s3ForcePathStyle: true, - }, + bucketName: null, + s3Config: null, }; }; const { bucketName, s3Config } = generateS3Config(); -const s3 = new S3(s3Config); +const s3 = s3Config ? new S3(s3Config) : null; const deleteFileFromS3 = async (key, bucket = bucketName, s3Client = s3) => { + if (!s3Client || !bucket) { + throw new Error('S3 is not configured.'); + } const params = { Bucket: bucket, Key: key, @@ -55,6 +70,9 @@ const deleteFileFromS3Job = async (job) => { }; const verifyVersioning = async (bucket = bucketName, s3Client = s3) => { + if (!s3Client || !bucket) { + throw new Error('S3 is not configured.'); + } const versioningConfiguration = { MFADelete: 'Disabled', Status: 'Enabled', @@ -74,6 +92,9 @@ const verifyVersioning = async (bucket = bucketName, s3Client = s3) => { }; const downloadFile = (key) => { + if (!s3 || !bucketName) { + throw new Error('S3 is not configured.'); + } const params = { Bucket: bucketName, Key: key, @@ -83,6 +104,10 @@ const downloadFile = (key) => { const getPresignedURL = (Key, Bucket = bucketName, s3Client = s3, Expires = 360) => { const url = { url: null, error: null }; + if (!s3Client || !Bucket) { + url.error = new Error('S3 is not configured.'); + return url; + } try { const params = { Bucket, @@ -97,6 +122,9 @@ const getPresignedURL = (Key, Bucket = bucketName, s3Client = s3, Expires = 360) }; const uploadFile = async (buffer, name, type, s3Client = s3) => { + if (!s3Client || !bucketName) { + throw new Error('S3 is not configured.'); + } const params = { Body: buffer, Bucket: bucketName, From 2e98cb2ce5fd894acc565ea33ac43c773394b002 Mon Sep 17 00:00:00 2001 From: GarrettEHill Date: Tue, 27 Aug 2024 14:56:29 -0700 Subject: [PATCH 065/138] remove unneeded services --- automation/configs/process.yml | 2 -- 1 file changed, 2 deletions(-) diff --git a/automation/configs/process.yml b/automation/configs/process.yml index f8386862cf..f0cda6416f 100644 --- a/automation/configs/process.yml +++ b/automation/configs/process.yml @@ -6,6 +6,4 @@ buildpack: "https://github.com/cloudfoundry/nodejs-buildpack" command: "./automation/cf/scripts/idol.sh" bound_services: - - ttahub-db-backups # only needed to have an s3 for shared libraries to run correctly - - ttahub-redis-prod # only needed to have an queue for shared libraries to run correctly - ttahub-process From fe112c6f856c56f9c8439f22ed18ff9e61783275 Mon Sep 17 00:00:00 2001 From: GarrettEHill Date: Tue, 27 Aug 2024 15:08:25 -0700 Subject: [PATCH 066/138] process reports in batches to reduce the memory load --- src/tools/processData.js | 156 +++++++++++++++++++++------------------ 1 file changed, 84 insertions(+), 72 deletions(-) diff --git a/src/tools/processData.js b/src/tools/processData.js index ba324b156f..f29cdbec39 100644 --- a/src/tools/processData.js +++ b/src/tools/processData.js @@ -413,12 +413,8 @@ const processData = async (mockReport) => sequelize.transaction(async () => { const userIds = mockReport ? [3000, 3001, 3002, 3003] : null; const recipientsGrants = mockReport ? mockReport.imported.granteeName : null; - const reports = await ActivityReport.unscoped().findAll({ - where, - }); const files = await File.findAll(); - const promises = []; // Hide users @@ -426,76 +422,91 @@ const processData = async (mockReport) => sequelize.transaction(async () => { // Hide recipients and grants await hideRecipientsGrants(recipientsGrants); - // loop through the found reports - for await (const report of reports) { - const { imported } = report; + const BATCH_SIZE = 100; // Define a reasonable batch size + let offset = 0; + let reports; - promises.push( - report.update({ - managerNotes: await processHtml(report.managerNotes), - additionalNotes: await processHtml(report.additionalNotes), - context: await processHtml(report.context), - }, { individualHooks: true }), - ); - if (imported) { - // TODO: ttaProvided needs to move from ActivityReportObjective to ActivityReportObjective - const newImported = { - additionalNotesForThisActivity: await processHtml( - imported.additionalNotesForThisActivity, - ), - cdiGranteeName: await processHtml(imported.cdiGranteeName), - contextForThisActivity: await processHtml( - imported.contextForThisActivity, - ), - created: imported.created, - createdBy: convertEmails(imported.createdBy), - duration: imported.duration, - endDate: imported.endDate, - format: imported.format, - goal1: imported.goal1, - goal2: imported.goal2, - granteeFollowUpTasksObjectives: await processHtml( - imported.granteeFollowUpTasksObjectives, - ), - granteeName: convertRecipientName(imported.granteeName), - granteeParticipants: imported.granteeParticipants, - granteesLearningLevelGoal1: imported.granteesLearningLevelGoal1, - granteesLearningLevelGoal2: imported.granteesLearningLevelGoal2, - manager: convertEmails(imported.manager), - modified: imported.modified, - modifiedBy: convertEmails(imported.modifiedBy), - multiGranteeActivities: imported.multiGranteeActivities, - nonGranteeActivity: imported.nonGranteeActivity, - nonGranteeParticipants: imported.nonGranteeParticipants, - nonOhsResources: imported.nonOhsResources, - numberOfParticipants: imported.numberOfParticipants, - objective11: imported.objective11, - objective11Status: imported.objective11Status, - objective12: imported.objective12, - objective12Status: imported.objective12Status, - objective21: imported.objective21, - objective21Status: imported.objective21Status, - objective22: imported.objective22, - objective22Status: imported.objective22Status, - otherSpecialists: convertEmails(imported.otherSpecialists), - otherTopics: imported.otherTopics, - programType: imported.programType, - reasons: imported.reasons, - reportId: imported.reportId, - resourcesUsed: imported.resourcesUsed, - sourceOfRequest: imported.sourceOfRequest, - specialistFollowUpTasksObjectives: await processHtml( - imported.specialistFollowUpTasksObjectives, - ), - startDate: imported.startDate, - tTa: imported.tTa, - targetPopulations: imported.targetPopulations, - topics: imported.topics, - ttaProvidedAndGranteeProgressMade: imported.ttaProvidedAndGranteeProgressMade, - }; - promises.push(report.update({ imported: newImported }, { individualHooks: true })); + // Loop through the reports in batches + do { + reports = await ActivityReport.unscoped().findAll({ + where, + limit: BATCH_SIZE, + offset, + }); + + for await (const report of reports) { + const { imported } = report; + + promises.push( + report.update({ + managerNotes: await processHtml(report.managerNotes), + additionalNotes: await processHtml(report.additionalNotes), + context: await processHtml(report.context), + }, { individualHooks: true }), + ); + + if (imported) { + const newImported = { + additionalNotesForThisActivity: await processHtml( + imported.additionalNotesForThisActivity, + ), + cdiGranteeName: await processHtml(imported.cdiGranteeName), + contextForThisActivity: await processHtml( + imported.contextForThisActivity, + ), + created: imported.created, + createdBy: convertEmails(imported.createdBy), + duration: imported.duration, + endDate: imported.endDate, + format: imported.format, + goal1: imported.goal1, + goal2: imported.goal2, + granteeFollowUpTasksObjectives: await processHtml( + imported.granteeFollowUpTasksObjectives, + ), + granteeName: convertRecipientName(imported.granteeName), + granteeParticipants: imported.granteeParticipants, + granteesLearningLevelGoal1: imported.granteesLearningLevelGoal1, + granteesLearningLevelGoal2: imported.granteesLearningLevelGoal2, + manager: convertEmails(imported.manager), + modified: imported.modified, + modifiedBy: convertEmails(imported.modifiedBy), + multiGranteeActivities: imported.multiGranteeActivities, + nonGranteeActivity: imported.nonGranteeActivity, + nonGranteeParticipants: imported.nonGranteeParticipants, + nonOhsResources: imported.nonOhsResources, + numberOfParticipants: imported.numberOfParticipants, + objective11: imported.objective11, + objective11Status: imported.objective11Status, + objective12: imported.objective12, + objective12Status: imported.objective12Status, + objective21: imported.objective21, + objective21Status: imported.objective21Status, + objective22: imported.objective22, + objective22Status: imported.objective22Status, + otherSpecialists: convertEmails(imported.otherSpecialists), + otherTopics: imported.otherTopics, + programType: imported.programType, + reasons: imported.reasons, + reportId: imported.reportId, + resourcesUsed: imported.resourcesUsed, + sourceOfRequest: imported.sourceOfRequest, + specialistFollowUpTasksObjectives: await processHtml( + imported.specialistFollowUpTasksObjectives, + ), + startDate: imported.startDate, + tTa: imported.tTa, + targetPopulations: imported.targetPopulations, + topics: imported.topics, + ttaProvidedAndGranteeProgressMade: imported.ttaProvidedAndGranteeProgressMade, + }; + promises.push(report.update({ imported: newImported }, { individualHooks: true })); + } } - } + + offset += BATCH_SIZE; + // Continue fetching batches until all reports are processed + } while (reports.length === BATCH_SIZE); for (const file of files) { promises.push( @@ -512,6 +523,7 @@ const processData = async (mockReport) => sequelize.transaction(async () => { where: {}, truncate: true, }); + await Promise.all(promises); return truncateAuditTables(); }); From 9a34d0517d3482b07295233a2b991198b4c0182e Mon Sep 17 00:00:00 2001 From: GarrettEHill Date: Tue, 27 Aug 2024 15:47:00 -0700 Subject: [PATCH 067/138] better check for s3 existing --- src/lib/s3.js | 36 +++++++++++++++++++++++------------- 1 file changed, 23 insertions(+), 13 deletions(-) diff --git a/src/lib/s3.js b/src/lib/s3.js index 0f078626f9..bdce317253 100644 --- a/src/lib/s3.js +++ b/src/lib/s3.js @@ -4,22 +4,32 @@ import { auditLogger } from '../logger'; const generateS3Config = () => { // Take configuration from cloud.gov if it is available. If not, use env variables. if (process.env.VCAP_SERVICES) { - const { credentials } = JSON.parse(process.env.VCAP_SERVICES).s3[0]; - return { - bucketName: credentials.bucket, - s3Config: { - accessKeyId: credentials.access_key_id, - endpoint: credentials.fips_endpoint, - region: credentials.region, - secretAccessKey: credentials.secret_access_key, - signatureVersion: 'v4', - s3ForcePathStyle: true, - }, - }; + const services = JSON.parse(process.env.VCAP_SERVICES); + + // Check if the s3 service is available in VCAP_SERVICES + if (services.s3 && services.s3.length > 0) { + const { credentials } = services.s3[0]; + return { + bucketName: credentials.bucket, + s3Config: { + accessKeyId: credentials.access_key_id, + endpoint: credentials.fips_endpoint, + region: credentials.region, + secretAccessKey: credentials.secret_access_key, + signatureVersion: 'v4', + s3ForcePathStyle: true, + }, + }; + } } // Check for the presence of S3-related environment variables - const { S3_BUCKET, AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, S3_ENDPOINT } = process.env; + const { + S3_BUCKET, + AWS_ACCESS_KEY_ID, + AWS_SECRET_ACCESS_KEY, + S3_ENDPOINT, + } = process.env; if (S3_BUCKET && AWS_ACCESS_KEY_ID && AWS_SECRET_ACCESS_KEY) { return { From c15f0fe2cd6c9d83e36ab5188645485fa268ac63 Mon Sep 17 00:00:00 2001 From: GarrettEHill Date: Tue, 27 Aug 2024 16:01:34 -0700 Subject: [PATCH 068/138] second attempt to remove the requirement for redis when using the code base just for tools --- src/lib/queue.js | 59 +++++++++++++++++++++++++----------------------- 1 file changed, 31 insertions(+), 28 deletions(-) diff --git a/src/lib/queue.js b/src/lib/queue.js index 328ab35508..6ee7ccd3a4 100644 --- a/src/lib/queue.js +++ b/src/lib/queue.js @@ -4,44 +4,47 @@ import { auditLogger } from '../logger'; const generateRedisConfig = (enableRateLimiter = false) => { if (process.env.VCAP_SERVICES) { - const { - 'aws-elasticache-redis': [{ + const services = JSON.parse(process.env.VCAP_SERVICES); + + // Check if the 'aws-elasticache-redis' service is available in VCAP_SERVICES + if (services['aws-elasticache-redis'] && services['aws-elasticache-redis'].length > 0) { + const { credentials: { host, port, password, uri, }, - }], - } = JSON.parse(process.env.VCAP_SERVICES); - - let redisSettings = { - uri, - host, - port, - tlsEnabled: true, - // TLS needs to be set to an empty object for redis on cloud.gov - // eslint-disable-next-line no-empty-pattern - redisOpts: { - redis: { password, tls: {} }, - }, - }; - - // Explicitly set the rate limiter settings. - if (enableRateLimiter) { - redisSettings = { - ...redisSettings, + } = services['aws-elasticache-redis'][0]; + + let redisSettings = { + uri, + host, + port, + tlsEnabled: true, + // TLS needs to be set to an empty object for redis on cloud.gov + // eslint-disable-next-line no-empty-pattern redisOpts: { - ...redisSettings.redisOpts, - limiter: { - max: process.env.REDIS_LIMITER_MAX || 1000, - duration: process.env.REDIS_LIMITER_DURATION || 300000, - }, + redis: { password, tls: {} }, }, }; - } - return redisSettings; + // Explicitly set the rate limiter settings. + if (enableRateLimiter) { + redisSettings = { + ...redisSettings, + redisOpts: { + ...redisSettings.redisOpts, + limiter: { + max: process.env.REDIS_LIMITER_MAX || 1000, + duration: process.env.REDIS_LIMITER_DURATION || 300000, + }, + }, + }; + } + + return redisSettings; + } } // Check for the presence of Redis-related environment variables From 972dfb926c70e8d84c693cbbe73e2cd27f9bd746 Mon Sep 17 00:00:00 2001 From: GarrettEHill Date: Tue, 27 Aug 2024 16:20:59 -0700 Subject: [PATCH 069/138] Update run.sh --- automation/nodejs/scripts/run.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/automation/nodejs/scripts/run.sh b/automation/nodejs/scripts/run.sh index 4ec852ed4c..46ae4b7d1e 100644 --- a/automation/nodejs/scripts/run.sh +++ b/automation/nodejs/scripts/run.sh @@ -19,7 +19,7 @@ ls -al >&2 export PATH=/home/vcap/deps/0/bin:/bin:/usr/bin:/home/vcap/app/bin:/home/vcap/app/node_modules/.bin # Run the Node.js script -node $1 +node --max-old-space-size=400 $1 # Capture the exit code of the Node.js command SHELL_EXIT_CODE=$? From 50264246b929f61395119a6e8b40ebbaff838065 Mon Sep 17 00:00:00 2001 From: GarrettEHill Date: Tue, 27 Aug 2024 16:36:27 -0700 Subject: [PATCH 070/138] give it more memory and make the node limit dynamic --- automation/configs/process.yml | 2 +- automation/nodejs/scripts/run.sh | 20 +++++++++++++++++++- 2 files changed, 20 insertions(+), 2 deletions(-) diff --git a/automation/configs/process.yml b/automation/configs/process.yml index f0cda6416f..ea3cfa93bf 100644 --- a/automation/configs/process.yml +++ b/automation/configs/process.yml @@ -1,5 +1,5 @@ instances: 1 -memory: 512M +memory: 1GB disk_quota: 1GB buildpack: "https://github.com/cloudfoundry/nodejs-buildpack" diff --git a/automation/nodejs/scripts/run.sh b/automation/nodejs/scripts/run.sh index 46ae4b7d1e..812e45b214 100644 --- a/automation/nodejs/scripts/run.sh +++ b/automation/nodejs/scripts/run.sh @@ -18,8 +18,26 @@ ls -al >&2 # Set the PATH from the lifecycle environment export PATH=/home/vcap/deps/0/bin:/bin:/usr/bin:/home/vcap/app/bin:/home/vcap/app/node_modules/.bin +# Extract the MEMORY_LIMIT environment variable and determine the unit +if [[ $MEMORY_LIMIT == *G ]]; then + # Convert gigabytes to megabytes + MEMORY_LIMIT_MB=$((${MEMORY_LIMIT%G} * 1024)) +elif [[ $MEMORY_LIMIT == *M ]]; then + # Use megabytes as is + MEMORY_LIMIT_MB=${MEMORY_LIMIT%M} +else + echo "Unsupported MEMORY_LIMIT format." + exit 1 +fi + +# Calculate 80% of the MEMORY_LIMIT +MAX_OLD_SPACE_SIZE=$(echo "$MEMORY_LIMIT_MB * 0.8" | bc) + +# Round to the nearest whole number +MAX_OLD_SPACE_SIZE=${MAX_OLD_SPACE_SIZE%.*} + # Run the Node.js script -node --max-old-space-size=400 $1 +node --max-old-space-size=$MAX_OLD_SPACE_SIZE $1 # Capture the exit code of the Node.js command SHELL_EXIT_CODE=$? From 4f8d0ab0c65790ae5ef89b22dc1a34372922a973 Mon Sep 17 00:00:00 2001 From: GarrettEHill Date: Tue, 27 Aug 2024 16:54:52 -0700 Subject: [PATCH 071/138] fix memory format check, add force garbage collection --- automation/nodejs/scripts/run.sh | 6 +++--- src/tools/processData.js | 11 ++++++++++- 2 files changed, 13 insertions(+), 4 deletions(-) diff --git a/automation/nodejs/scripts/run.sh b/automation/nodejs/scripts/run.sh index 812e45b214..ffb44a8576 100644 --- a/automation/nodejs/scripts/run.sh +++ b/automation/nodejs/scripts/run.sh @@ -19,10 +19,10 @@ ls -al >&2 export PATH=/home/vcap/deps/0/bin:/bin:/usr/bin:/home/vcap/app/bin:/home/vcap/app/node_modules/.bin # Extract the MEMORY_LIMIT environment variable and determine the unit -if [[ $MEMORY_LIMIT == *G ]]; then +if [[ $MEMORY_LIMIT == *GB ]]; then # Convert gigabytes to megabytes MEMORY_LIMIT_MB=$((${MEMORY_LIMIT%G} * 1024)) -elif [[ $MEMORY_LIMIT == *M ]]; then +elif [[ $MEMORY_LIMIT == *MB ]]; then # Use megabytes as is MEMORY_LIMIT_MB=${MEMORY_LIMIT%M} else @@ -37,7 +37,7 @@ MAX_OLD_SPACE_SIZE=$(echo "$MEMORY_LIMIT_MB * 0.8" | bc) MAX_OLD_SPACE_SIZE=${MAX_OLD_SPACE_SIZE%.*} # Run the Node.js script -node --max-old-space-size=$MAX_OLD_SPACE_SIZE $1 +node --max-old-space-size=$MAX_OLD_SPACE_SIZE --expose-gc $1 # Capture the exit code of the Node.js command SHELL_EXIT_CODE=$? diff --git a/src/tools/processData.js b/src/tools/processData.js index f29cdbec39..9dbb597b24 100644 --- a/src/tools/processData.js +++ b/src/tools/processData.js @@ -419,9 +419,14 @@ const processData = async (mockReport) => sequelize.transaction(async () => { // Hide users await hideUsers(userIds); + + if (typeof global.gc === 'function') global.gc(); + // Hide recipients and grants await hideRecipientsGrants(recipientsGrants); + if (typeof global.gc === 'function') global.gc(); + const BATCH_SIZE = 100; // Define a reasonable batch size let offset = 0; let reports; @@ -505,7 +510,9 @@ const processData = async (mockReport) => sequelize.transaction(async () => { } offset += BATCH_SIZE; - // Continue fetching batches until all reports are processed + + // After processing each batch, trigger garbage collection + if (typeof global.gc === 'function') global.gc(); } while (reports.length === BATCH_SIZE); for (const file of files) { @@ -518,6 +525,8 @@ const processData = async (mockReport) => sequelize.transaction(async () => { await bootstrapUsers(); + if (typeof global.gc === 'function') global.gc(); + // Delete from RequestErrors await RequestErrors.destroy({ where: {}, From c63becd669b0b6f6cd4cfb82218f431c42ca5e8a Mon Sep 17 00:00:00 2001 From: GarrettEHill Date: Tue, 27 Aug 2024 17:13:45 -0700 Subject: [PATCH 072/138] Update run.sh --- automation/nodejs/scripts/run.sh | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/automation/nodejs/scripts/run.sh b/automation/nodejs/scripts/run.sh index ffb44a8576..74cb7a1434 100644 --- a/automation/nodejs/scripts/run.sh +++ b/automation/nodejs/scripts/run.sh @@ -12,19 +12,20 @@ cd /home/vcap/app || exit echo "Current directory:" $(pwd) >&2 echo "JS File Path:" $1 >&2 -echo "Contents of directory:" >&2 -ls -al >&2 # Set the PATH from the lifecycle environment export PATH=/home/vcap/deps/0/bin:/bin:/usr/bin:/home/vcap/app/bin:/home/vcap/app/node_modules/.bin +# Trim any leading or trailing whitespace from MEMORY_LIMIT +MEMORY_LIMIT=$(echo "$MEMORY_LIMIT" | xargs) + # Extract the MEMORY_LIMIT environment variable and determine the unit if [[ $MEMORY_LIMIT == *GB ]]; then # Convert gigabytes to megabytes - MEMORY_LIMIT_MB=$((${MEMORY_LIMIT%G} * 1024)) + MEMORY_LIMIT_MB=$((${MEMORY_LIMIT%GB} * 1024)) elif [[ $MEMORY_LIMIT == *MB ]]; then # Use megabytes as is - MEMORY_LIMIT_MB=${MEMORY_LIMIT%M} + MEMORY_LIMIT_MB=${MEMORY_LIMIT%MB} else echo "Unsupported MEMORY_LIMIT format." exit 1 From 6f2f4a79f78b4d68cba6857c5accfcbd4b28886b Mon Sep 17 00:00:00 2001 From: GarrettEHill Date: Tue, 27 Aug 2024 20:34:46 -0700 Subject: [PATCH 073/138] Update run.sh --- automation/nodejs/scripts/run.sh | 68 ++++++++++++++++++++++++++++++-- 1 file changed, 64 insertions(+), 4 deletions(-) diff --git a/automation/nodejs/scripts/run.sh b/automation/nodejs/scripts/run.sh index 74cb7a1434..2ffef18d5f 100644 --- a/automation/nodejs/scripts/run.sh +++ b/automation/nodejs/scripts/run.sh @@ -1,5 +1,65 @@ #!/bin/bash -x +# Function to log messages with a timestamp +function log() { + local type="$1" + local message="$2" + local timestamp + timestamp=$(date '+%Y-%m-%d %H:%M:%S') + echo "[$timestamp] $type: $message" >&2 +} + +# Function to monitor memory usage +function monitor_memory() { + local pid=$1 + local interval=${2-0.5} + local max_mem_mb=0 + local max_system_mem_mb=0 + local mem_kb + local mem_mb + local system_mem_bytes + local system_mem_mb + local start_time + start_time=$(date +%s) # Record start time in seconds + + # Path to the container's memory cgroup + local MEM_CGROUP_PATH="/sys/fs/cgroup/memory" + + # Trap to handle script exits and interruptions + local exit_code duration end_time + trap 'exit_code=$?; \ + end_time=$(date +%s); \ + duration=$((end_time - start_time)); \ + log "STAT" "Exit code: $exit_code"; \ + log "STAT" "Maximum memory used by the process: $max_mem_mb MB"; \ + log "STAT" "Maximum container memory used: $max_system_mem_mb MB"; \ + log "STAT" "Duration of the run: $duration seconds from $start_time to $end_time"; \ + exit $exit_code' EXIT SIGINT SIGTERM + + # Monitor memory usage + log "INFO" "Monitoring started at: $start_time"; + while true; do + if [ ! -e "/proc/$pid" ]; then + break + fi + # Process-specific memory in kilobytes, then convert to megabytes + mem_kb=$(awk '/VmRSS/{print $2}' "/proc/$pid/status" 2>/dev/null) + mem_mb=$((mem_kb / 1024)) + if [[ "$mem_mb" -gt "$max_mem_mb" ]]; then + max_mem_mb=$mem_mb + fi + + # Container-specific memory (used memory) in bytes, then convert to megabytes + system_mem_bytes=$(cat $MEM_CGROUP_PATH/memory.usage_in_bytes) + system_mem_mb=$((system_mem_bytes / 1024 / 1024)) + if [[ "$system_mem_mb" -gt "$max_system_mem_mb" ]]; then + max_system_mem_mb=$system_mem_mb + fi + + sleep "$interval" + done +} + # Check if an argument is passed if [ -z "$1" ]; then echo "Error: No path to the JavaScript file provided." @@ -16,9 +76,6 @@ echo "JS File Path:" $1 >&2 # Set the PATH from the lifecycle environment export PATH=/home/vcap/deps/0/bin:/bin:/usr/bin:/home/vcap/app/bin:/home/vcap/app/node_modules/.bin -# Trim any leading or trailing whitespace from MEMORY_LIMIT -MEMORY_LIMIT=$(echo "$MEMORY_LIMIT" | xargs) - # Extract the MEMORY_LIMIT environment variable and determine the unit if [[ $MEMORY_LIMIT == *GB ]]; then # Convert gigabytes to megabytes @@ -27,7 +84,7 @@ elif [[ $MEMORY_LIMIT == *MB ]]; then # Use megabytes as is MEMORY_LIMIT_MB=${MEMORY_LIMIT%MB} else - echo "Unsupported MEMORY_LIMIT format." + echo "Unsupported MEMORY_LIMIT format: '$MEMORY_LIMIT'" exit 1 fi @@ -37,6 +94,9 @@ MAX_OLD_SPACE_SIZE=$(echo "$MEMORY_LIMIT_MB * 0.8" | bc) # Round to the nearest whole number MAX_OLD_SPACE_SIZE=${MAX_OLD_SPACE_SIZE%.*} +# Start memory monitoring in the background +monitor_memory $$ & + # Run the Node.js script node --max-old-space-size=$MAX_OLD_SPACE_SIZE --expose-gc $1 From 10803d7c101db6d83c58e9f7fe5ffa85ac7b37d4 Mon Sep 17 00:00:00 2001 From: GarrettEHill Date: Tue, 27 Aug 2024 20:47:49 -0700 Subject: [PATCH 074/138] Update run.sh --- automation/nodejs/scripts/run.sh | 1 + 1 file changed, 1 insertion(+) diff --git a/automation/nodejs/scripts/run.sh b/automation/nodejs/scripts/run.sh index 2ffef18d5f..1993195c3a 100644 --- a/automation/nodejs/scripts/run.sh +++ b/automation/nodejs/scripts/run.sh @@ -72,6 +72,7 @@ cd /home/vcap/app || exit echo "Current directory:" $(pwd) >&2 echo "JS File Path:" $1 >&2 +echo "env:" $(env) >&2 # Set the PATH from the lifecycle environment export PATH=/home/vcap/deps/0/bin:/bin:/usr/bin:/home/vcap/app/bin:/home/vcap/app/node_modules/.bin From adaf7db56ec52e6a5d9f8ca06bd1260efcaa3b53 Mon Sep 17 00:00:00 2001 From: GarrettEHill Date: Tue, 27 Aug 2024 21:05:48 -0700 Subject: [PATCH 075/138] Update process.yml --- automation/configs/process.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/automation/configs/process.yml b/automation/configs/process.yml index ea3cfa93bf..0dccb51c09 100644 --- a/automation/configs/process.yml +++ b/automation/configs/process.yml @@ -1,5 +1,5 @@ instances: 1 -memory: 1GB +memory: 1024MB disk_quota: 1GB buildpack: "https://github.com/cloudfoundry/nodejs-buildpack" From 26721720a9538f7f474fc6f1acf39a781c0843dc Mon Sep 17 00:00:00 2001 From: GarrettEHill Date: Tue, 27 Aug 2024 22:36:02 -0700 Subject: [PATCH 076/138] env var is not correct --- automation/nodejs/scripts/run.sh | 16 +++++----------- 1 file changed, 5 insertions(+), 11 deletions(-) diff --git a/automation/nodejs/scripts/run.sh b/automation/nodejs/scripts/run.sh index 1993195c3a..4881f597ec 100644 --- a/automation/nodejs/scripts/run.sh +++ b/automation/nodejs/scripts/run.sh @@ -77,17 +77,11 @@ echo "env:" $(env) >&2 # Set the PATH from the lifecycle environment export PATH=/home/vcap/deps/0/bin:/bin:/usr/bin:/home/vcap/app/bin:/home/vcap/app/node_modules/.bin -# Extract the MEMORY_LIMIT environment variable and determine the unit -if [[ $MEMORY_LIMIT == *GB ]]; then - # Convert gigabytes to megabytes - MEMORY_LIMIT_MB=$((${MEMORY_LIMIT%GB} * 1024)) -elif [[ $MEMORY_LIMIT == *MB ]]; then - # Use megabytes as is - MEMORY_LIMIT_MB=${MEMORY_LIMIT%MB} -else - echo "Unsupported MEMORY_LIMIT format: '$MEMORY_LIMIT'" - exit 1 -fi +# Get the total memory limit from cgroup in bytes +MEMORY_LIMIT_BYTES=$(cat /sys/fs/cgroup/memory/memory.limit_in_bytes) + +# Convert bytes to megabytes +MEMORY_LIMIT_MB=$(($MEMORY_LIMIT_BYTES / 1024 / 1024)) # Calculate 80% of the MEMORY_LIMIT MAX_OLD_SPACE_SIZE=$(echo "$MEMORY_LIMIT_MB * 0.8" | bc) From b671c02e518a0e599a7e840b4f5b3a87e74bd85c Mon Sep 17 00:00:00 2001 From: GarrettEHill Date: Tue, 27 Aug 2024 23:02:50 -0700 Subject: [PATCH 077/138] bc not available in buildpack --- automation/nodejs/scripts/run.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/automation/nodejs/scripts/run.sh b/automation/nodejs/scripts/run.sh index 4881f597ec..9d478fc4ab 100644 --- a/automation/nodejs/scripts/run.sh +++ b/automation/nodejs/scripts/run.sh @@ -84,7 +84,7 @@ MEMORY_LIMIT_BYTES=$(cat /sys/fs/cgroup/memory/memory.limit_in_bytes) MEMORY_LIMIT_MB=$(($MEMORY_LIMIT_BYTES / 1024 / 1024)) # Calculate 80% of the MEMORY_LIMIT -MAX_OLD_SPACE_SIZE=$(echo "$MEMORY_LIMIT_MB * 0.8" | bc) +MAX_OLD_SPACE_SIZE=$((MEMORY_LIMIT_MB * 8 / 10)) # Round to the nearest whole number MAX_OLD_SPACE_SIZE=${MAX_OLD_SPACE_SIZE%.*} From 6ad94c0ebcb8f1c70b56e050f13c111c45d1be49 Mon Sep 17 00:00:00 2001 From: GarrettEHill Date: Tue, 27 Aug 2024 23:03:15 -0700 Subject: [PATCH 078/138] Update process.yml --- automation/configs/process.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/automation/configs/process.yml b/automation/configs/process.yml index 0dccb51c09..ea3cfa93bf 100644 --- a/automation/configs/process.yml +++ b/automation/configs/process.yml @@ -1,5 +1,5 @@ instances: 1 -memory: 1024MB +memory: 1GB disk_quota: 1GB buildpack: "https://github.com/cloudfoundry/nodejs-buildpack" From 45d7cc9f420f02339b9f50470b8b61ae1b6882d2 Mon Sep 17 00:00:00 2001 From: GarrettEHill Date: Tue, 27 Aug 2024 23:33:28 -0700 Subject: [PATCH 079/138] more ram --- automation/configs/process.yml | 2 +- automation/nodejs/scripts/run.sh | 12 ++++++++++-- 2 files changed, 11 insertions(+), 3 deletions(-) diff --git a/automation/configs/process.yml b/automation/configs/process.yml index ea3cfa93bf..3300f0c281 100644 --- a/automation/configs/process.yml +++ b/automation/configs/process.yml @@ -1,5 +1,5 @@ instances: 1 -memory: 1GB +memory: 2GB disk_quota: 1GB buildpack: "https://github.com/cloudfoundry/nodejs-buildpack" diff --git a/automation/nodejs/scripts/run.sh b/automation/nodejs/scripts/run.sh index 9d478fc4ab..8f2667b422 100644 --- a/automation/nodejs/scripts/run.sh +++ b/automation/nodejs/scripts/run.sh @@ -83,17 +83,25 @@ MEMORY_LIMIT_BYTES=$(cat /sys/fs/cgroup/memory/memory.limit_in_bytes) # Convert bytes to megabytes MEMORY_LIMIT_MB=$(($MEMORY_LIMIT_BYTES / 1024 / 1024)) -# Calculate 80% of the MEMORY_LIMIT +# Calculate 80% of the MEMORY_LIMIT for max-old-space-size MAX_OLD_SPACE_SIZE=$((MEMORY_LIMIT_MB * 8 / 10)) # Round to the nearest whole number MAX_OLD_SPACE_SIZE=${MAX_OLD_SPACE_SIZE%.*} +# Calculate 1% of MEMORY_LIMIT for max-semi-space-size with a minimum of 16 MB +# 1% of MEMORY_LIMIT or 16 MB, whichever is larger +MAX_SEMI_SPACE_SIZE=$((MEMORY_LIMIT_MB / 100)) +if [ "$MAX_SEMI_SPACE_SIZE" -lt 16 ]; then + MAX_SEMI_SPACE_SIZE=16 +fi + # Start memory monitoring in the background monitor_memory $$ & # Run the Node.js script -node --max-old-space-size=$MAX_OLD_SPACE_SIZE --expose-gc $1 +echo "node --max-old-space-size=$MAX_OLD_SPACE_SIZE --max-semi-space-size=$MAX_SEMI_SPACE_SIZE --expose-gc $1" >&2 +node --max-old-space-size=$MAX_OLD_SPACE_SIZE --max-semi-space-size=$MAX_SEMI_SPACE_SIZE --expose-gc $1 # Capture the exit code of the Node.js command SHELL_EXIT_CODE=$? From 912d05b01d29169f384b470d4cfe9e02d17e3911 Mon Sep 17 00:00:00 2001 From: GarrettEHill Date: Wed, 28 Aug 2024 08:25:33 -0700 Subject: [PATCH 080/138] try different manifest structure --- automation/dynamic-manifest.yml | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/automation/dynamic-manifest.yml b/automation/dynamic-manifest.yml index 89f0358152..cc137e4a6e 100644 --- a/automation/dynamic-manifest.yml +++ b/automation/dynamic-manifest.yml @@ -3,11 +3,16 @@ applications: - name: tta-automation stack: cflinuxfs4 health-check-type: process - memory: ((memory)) - disk_quota: ((disk_quota)) - instances: ((instances)) + # memory: ((memory)) + # disk_quota: ((disk_quota)) + # instances: ((instances)) no-route: true buildpacks: - ((buildpack)) command: ((command)) services: ((bound_services)) + processes: + - type: worker + instances: ((instances)) + command: ((command)) + memory: ((memory)) From df93fd35bde26609f22e9cafc7981399ac2e2ced Mon Sep 17 00:00:00 2001 From: GarrettEHill Date: Wed, 28 Aug 2024 08:42:01 -0700 Subject: [PATCH 081/138] Update yarn-audit-known-issues --- frontend/yarn-audit-known-issues | 81 ++++++++++++++++---------------- 1 file changed, 41 insertions(+), 40 deletions(-) diff --git a/frontend/yarn-audit-known-issues b/frontend/yarn-audit-known-issues index 0084f6081a..34ae28039f 100644 --- a/frontend/yarn-audit-known-issues +++ b/frontend/yarn-audit-known-issues @@ -1,43 +1,44 @@ {"type":"auditAdvisory","data":{"resolution":{"id":1097682,"path":"react-scripts>jest>@jest/core>jest-config>jest-environment-jsdom>jsdom>tough-cookie","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"4.0.0","paths":["react-scripts>jest>@jest/core>jest-config>jest-environment-jsdom>jsdom>tough-cookie","react-scripts>jest>jest-cli>@jest/core>jest-config>jest-environment-jsdom>jsdom>tough-cookie","react-scripts>jest>jest-cli>@jest/core>jest-config>jest-runner>jest-environment-jsdom>jsdom>tough-cookie"]}],"metadata":null,"vulnerable_versions":"<4.1.3","module_name":"tough-cookie","severity":"moderate","github_advisory_id":"GHSA-72xf-g2v4-qvf3","cves":["CVE-2023-26136"],"access":"public","patched_versions":">=4.1.3","cvss":{"score":6.5,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"},"updated":"2024-06-21T21:33:53.000Z","recommendation":"Upgrade to version 4.1.3 or later","cwe":["CWE-1321"],"found_by":null,"deleted":null,"id":1097682,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2023-26136\n- https://github.com/salesforce/tough-cookie/issues/282\n- https://github.com/salesforce/tough-cookie/commit/12d474791bb856004e858fdb1c47b7608d09cf6e\n- https://github.com/salesforce/tough-cookie/releases/tag/v4.1.3\n- https://security.snyk.io/vuln/SNYK-JS-TOUGHCOOKIE-5672873\n- https://lists.debian.org/debian-lts-announce/2023/07/msg00010.html\n- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3HUE6ZR5SL73KHL7XUPAOEL6SB7HUDT2\n- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6PVVPNSAGSDS63HQ74PJ7MZ3MU5IYNVZ\n- https://security.netapp.com/advisory/ntap-20240621-0006\n- https://github.com/advisories/GHSA-72xf-g2v4-qvf3","created":"2023-07-01T06:30:16.000Z","reported_by":null,"title":"tough-cookie Prototype Pollution vulnerability","npm_advisory_id":null,"overview":"Versions of the package tough-cookie before 4.1.3 are vulnerable to Prototype Pollution due to improper handling of Cookies when using CookieJar in `rejectPublicSuffixes=false` mode. This issue arises from the manner in which the objects are initialized.","url":"https://github.com/advisories/GHSA-72xf-g2v4-qvf3"}}} {"type":"auditAdvisory","data":{"resolution":{"id":1097682,"path":"react-scripts>jest>jest-cli>@jest/core>jest-config>jest-environment-jsdom>jsdom>tough-cookie","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"4.0.0","paths":["react-scripts>jest>@jest/core>jest-config>jest-environment-jsdom>jsdom>tough-cookie","react-scripts>jest>jest-cli>@jest/core>jest-config>jest-environment-jsdom>jsdom>tough-cookie","react-scripts>jest>jest-cli>@jest/core>jest-config>jest-runner>jest-environment-jsdom>jsdom>tough-cookie"]}],"metadata":null,"vulnerable_versions":"<4.1.3","module_name":"tough-cookie","severity":"moderate","github_advisory_id":"GHSA-72xf-g2v4-qvf3","cves":["CVE-2023-26136"],"access":"public","patched_versions":">=4.1.3","cvss":{"score":6.5,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"},"updated":"2024-06-21T21:33:53.000Z","recommendation":"Upgrade to version 4.1.3 or later","cwe":["CWE-1321"],"found_by":null,"deleted":null,"id":1097682,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2023-26136\n- https://github.com/salesforce/tough-cookie/issues/282\n- https://github.com/salesforce/tough-cookie/commit/12d474791bb856004e858fdb1c47b7608d09cf6e\n- https://github.com/salesforce/tough-cookie/releases/tag/v4.1.3\n- https://security.snyk.io/vuln/SNYK-JS-TOUGHCOOKIE-5672873\n- https://lists.debian.org/debian-lts-announce/2023/07/msg00010.html\n- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3HUE6ZR5SL73KHL7XUPAOEL6SB7HUDT2\n- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6PVVPNSAGSDS63HQ74PJ7MZ3MU5IYNVZ\n- https://security.netapp.com/advisory/ntap-20240621-0006\n- https://github.com/advisories/GHSA-72xf-g2v4-qvf3","created":"2023-07-01T06:30:16.000Z","reported_by":null,"title":"tough-cookie Prototype Pollution vulnerability","npm_advisory_id":null,"overview":"Versions of the package tough-cookie before 4.1.3 are vulnerable to Prototype Pollution due to improper handling of Cookies when using CookieJar in `rejectPublicSuffixes=false` mode. This issue arises from the manner in which the objects are initialized.","url":"https://github.com/advisories/GHSA-72xf-g2v4-qvf3"}}} {"type":"auditAdvisory","data":{"resolution":{"id":1097682,"path":"react-scripts>jest>jest-cli>@jest/core>jest-config>jest-runner>jest-environment-jsdom>jsdom>tough-cookie","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"4.0.0","paths":["react-scripts>jest>@jest/core>jest-config>jest-environment-jsdom>jsdom>tough-cookie","react-scripts>jest>jest-cli>@jest/core>jest-config>jest-environment-jsdom>jsdom>tough-cookie","react-scripts>jest>jest-cli>@jest/core>jest-config>jest-runner>jest-environment-jsdom>jsdom>tough-cookie"]}],"metadata":null,"vulnerable_versions":"<4.1.3","module_name":"tough-cookie","severity":"moderate","github_advisory_id":"GHSA-72xf-g2v4-qvf3","cves":["CVE-2023-26136"],"access":"public","patched_versions":">=4.1.3","cvss":{"score":6.5,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"},"updated":"2024-06-21T21:33:53.000Z","recommendation":"Upgrade to version 4.1.3 or later","cwe":["CWE-1321"],"found_by":null,"deleted":null,"id":1097682,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2023-26136\n- https://github.com/salesforce/tough-cookie/issues/282\n- https://github.com/salesforce/tough-cookie/commit/12d474791bb856004e858fdb1c47b7608d09cf6e\n- https://github.com/salesforce/tough-cookie/releases/tag/v4.1.3\n- https://security.snyk.io/vuln/SNYK-JS-TOUGHCOOKIE-5672873\n- https://lists.debian.org/debian-lts-announce/2023/07/msg00010.html\n- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3HUE6ZR5SL73KHL7XUPAOEL6SB7HUDT2\n- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6PVVPNSAGSDS63HQ74PJ7MZ3MU5IYNVZ\n- https://security.netapp.com/advisory/ntap-20240621-0006\n- https://github.com/advisories/GHSA-72xf-g2v4-qvf3","created":"2023-07-01T06:30:16.000Z","reported_by":null,"title":"tough-cookie Prototype Pollution vulnerability","npm_advisory_id":null,"overview":"Versions of the package tough-cookie before 4.1.3 are vulnerable to Prototype Pollution due to improper handling of Cookies when using CookieJar in `rejectPublicSuffixes=false` mode. This issue arises from the manner in which the objects are initialized.","url":"https://github.com/advisories/GHSA-72xf-g2v4-qvf3"}}} -{"type":"auditAdvisory","data":{"resolution":{"id":1098618,"path":"@testing-library/jest-dom>@types/testing-library__jest-dom>@types/jest>expect>jest-message-util>micromatch","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"4.0.5","paths":["@testing-library/jest-dom>@types/testing-library__jest-dom>@types/jest>expect>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>tailwindcss>fast-glob>micromatch","react-scripts>react-dev-utils>globby>fast-glob>micromatch","eslint-plugin-jest>@typescript-eslint/experimental-utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/parser>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest-resolve>jest-haste-map>micromatch","react-scripts>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>@jest/reporters>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>jest-config>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>jest-snapshot>@jest/transform>jest-haste-map>micromatch"]},{"version":"4.0.5","paths":["react-scripts>babel-jest>@jest/transform>micromatch","react-scripts>jest>@jest/core>@jest/transform>micromatch","react-scripts>jest>@jest/core>@jest/reporters>@jest/transform>micromatch","react-scripts>jest>@jest/core>jest-config>babel-jest>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>babel-jest>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>jest-snapshot>@jest/transform>micromatch"]},{"version":"4.0.5","paths":["react-scripts>eslint-webpack-plugin>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>jest-message-util>micromatch","react-scripts>jest>@jest/core>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/reporters>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/reporters>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/globals>@jest/environment>@jest/fake-timers>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>jest-config>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>micromatch","react-scripts>jest>jest-cli>@jest/core>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest-watch-typeahead>jest-watcher>@jest/test-result>@jest/console>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>tailwindcss>micromatch"]},{"version":"4.0.5","paths":["http-proxy-middleware>micromatch","react-scripts>webpack-dev-server>http-proxy-middleware>micromatch"]},{"version":"4.0.7","paths":["micromatch"]}],"metadata":null,"vulnerable_versions":"<4.0.8","module_name":"micromatch","severity":"moderate","github_advisory_id":"GHSA-952p-6rrq-rcjv","cves":["CVE-2024-4067"],"access":"public","patched_versions":">=4.0.8","cvss":{"score":0,"vectorString":null},"updated":"2024-08-23T17:27:31.000Z","recommendation":"Upgrade to version 4.0.8 or later","cwe":["CWE-1333"],"found_by":null,"deleted":null,"id":1098618,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2024-4067\n- https://github.com/micromatch/micromatch/issues/243\n- https://github.com/micromatch/micromatch/pull/247\n- https://devhub.checkmarx.com/cve-details/CVE-2024-4067\n- https://github.com/micromatch/micromatch/blob/2c56a8604b68c1099e7bc0f807ce0865a339747a/index.js#L448\n- https://github.com/micromatch/micromatch/commit/500d5d6f42f0e8dfa1cb5464c6cb420b1b6aaaa0\n- https://github.com/advisories/GHSA-952p-6rrq-rcjv","created":"2024-05-14T18:30:54.000Z","reported_by":null,"title":"Regular Expression Denial of Service (ReDoS) in micromatch","npm_advisory_id":null,"overview":"The NPM package `micromatch` is vulnerable to Regular Expression Denial of Service (ReDoS). The vulnerability occurs in `micromatch.braces()` in `index.js` because the pattern `.*` will greedily match anything. By passing a malicious payload, the pattern matching will keep backtracking to the input while it doesn't find the closing bracket. As the input size increases, the consumption time will also increase until it causes the application to hang or slow down. There was a merged fix but further testing shows the issue persists. This issue should be mitigated by using a safe pattern that won't start backtracking the regular expression due to greedy matching.\n","url":"https://github.com/advisories/GHSA-952p-6rrq-rcjv"}}} -{"type":"auditAdvisory","data":{"resolution":{"id":1098618,"path":"react-scripts>tailwindcss>fast-glob>micromatch","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"4.0.5","paths":["@testing-library/jest-dom>@types/testing-library__jest-dom>@types/jest>expect>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>tailwindcss>fast-glob>micromatch","react-scripts>react-dev-utils>globby>fast-glob>micromatch","eslint-plugin-jest>@typescript-eslint/experimental-utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/parser>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest-resolve>jest-haste-map>micromatch","react-scripts>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>@jest/reporters>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>jest-config>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>jest-snapshot>@jest/transform>jest-haste-map>micromatch"]},{"version":"4.0.5","paths":["react-scripts>babel-jest>@jest/transform>micromatch","react-scripts>jest>@jest/core>@jest/transform>micromatch","react-scripts>jest>@jest/core>@jest/reporters>@jest/transform>micromatch","react-scripts>jest>@jest/core>jest-config>babel-jest>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>babel-jest>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>jest-snapshot>@jest/transform>micromatch"]},{"version":"4.0.5","paths":["react-scripts>eslint-webpack-plugin>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>jest-message-util>micromatch","react-scripts>jest>@jest/core>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/reporters>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/reporters>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/globals>@jest/environment>@jest/fake-timers>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>jest-config>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>micromatch","react-scripts>jest>jest-cli>@jest/core>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest-watch-typeahead>jest-watcher>@jest/test-result>@jest/console>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>tailwindcss>micromatch"]},{"version":"4.0.5","paths":["http-proxy-middleware>micromatch","react-scripts>webpack-dev-server>http-proxy-middleware>micromatch"]},{"version":"4.0.7","paths":["micromatch"]}],"metadata":null,"vulnerable_versions":"<4.0.8","module_name":"micromatch","severity":"moderate","github_advisory_id":"GHSA-952p-6rrq-rcjv","cves":["CVE-2024-4067"],"access":"public","patched_versions":">=4.0.8","cvss":{"score":0,"vectorString":null},"updated":"2024-08-23T17:27:31.000Z","recommendation":"Upgrade to version 4.0.8 or later","cwe":["CWE-1333"],"found_by":null,"deleted":null,"id":1098618,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2024-4067\n- https://github.com/micromatch/micromatch/issues/243\n- https://github.com/micromatch/micromatch/pull/247\n- https://devhub.checkmarx.com/cve-details/CVE-2024-4067\n- https://github.com/micromatch/micromatch/blob/2c56a8604b68c1099e7bc0f807ce0865a339747a/index.js#L448\n- https://github.com/micromatch/micromatch/commit/500d5d6f42f0e8dfa1cb5464c6cb420b1b6aaaa0\n- https://github.com/advisories/GHSA-952p-6rrq-rcjv","created":"2024-05-14T18:30:54.000Z","reported_by":null,"title":"Regular Expression Denial of Service (ReDoS) in micromatch","npm_advisory_id":null,"overview":"The NPM package `micromatch` is vulnerable to Regular Expression Denial of Service (ReDoS). The vulnerability occurs in `micromatch.braces()` in `index.js` because the pattern `.*` will greedily match anything. By passing a malicious payload, the pattern matching will keep backtracking to the input while it doesn't find the closing bracket. As the input size increases, the consumption time will also increase until it causes the application to hang or slow down. There was a merged fix but further testing shows the issue persists. This issue should be mitigated by using a safe pattern that won't start backtracking the regular expression due to greedy matching.\n","url":"https://github.com/advisories/GHSA-952p-6rrq-rcjv"}}} -{"type":"auditAdvisory","data":{"resolution":{"id":1098618,"path":"react-scripts>react-dev-utils>globby>fast-glob>micromatch","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"4.0.5","paths":["@testing-library/jest-dom>@types/testing-library__jest-dom>@types/jest>expect>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>tailwindcss>fast-glob>micromatch","react-scripts>react-dev-utils>globby>fast-glob>micromatch","eslint-plugin-jest>@typescript-eslint/experimental-utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/parser>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest-resolve>jest-haste-map>micromatch","react-scripts>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>@jest/reporters>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>jest-config>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>jest-snapshot>@jest/transform>jest-haste-map>micromatch"]},{"version":"4.0.5","paths":["react-scripts>babel-jest>@jest/transform>micromatch","react-scripts>jest>@jest/core>@jest/transform>micromatch","react-scripts>jest>@jest/core>@jest/reporters>@jest/transform>micromatch","react-scripts>jest>@jest/core>jest-config>babel-jest>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>babel-jest>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>jest-snapshot>@jest/transform>micromatch"]},{"version":"4.0.5","paths":["react-scripts>eslint-webpack-plugin>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>jest-message-util>micromatch","react-scripts>jest>@jest/core>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/reporters>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/reporters>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/globals>@jest/environment>@jest/fake-timers>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>jest-config>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>micromatch","react-scripts>jest>jest-cli>@jest/core>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest-watch-typeahead>jest-watcher>@jest/test-result>@jest/console>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>tailwindcss>micromatch"]},{"version":"4.0.5","paths":["http-proxy-middleware>micromatch","react-scripts>webpack-dev-server>http-proxy-middleware>micromatch"]},{"version":"4.0.7","paths":["micromatch"]}],"metadata":null,"vulnerable_versions":"<4.0.8","module_name":"micromatch","severity":"moderate","github_advisory_id":"GHSA-952p-6rrq-rcjv","cves":["CVE-2024-4067"],"access":"public","patched_versions":">=4.0.8","cvss":{"score":0,"vectorString":null},"updated":"2024-08-23T17:27:31.000Z","recommendation":"Upgrade to version 4.0.8 or later","cwe":["CWE-1333"],"found_by":null,"deleted":null,"id":1098618,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2024-4067\n- https://github.com/micromatch/micromatch/issues/243\n- https://github.com/micromatch/micromatch/pull/247\n- https://devhub.checkmarx.com/cve-details/CVE-2024-4067\n- https://github.com/micromatch/micromatch/blob/2c56a8604b68c1099e7bc0f807ce0865a339747a/index.js#L448\n- https://github.com/micromatch/micromatch/commit/500d5d6f42f0e8dfa1cb5464c6cb420b1b6aaaa0\n- https://github.com/advisories/GHSA-952p-6rrq-rcjv","created":"2024-05-14T18:30:54.000Z","reported_by":null,"title":"Regular Expression Denial of Service (ReDoS) in micromatch","npm_advisory_id":null,"overview":"The NPM package `micromatch` is vulnerable to Regular Expression Denial of Service (ReDoS). The vulnerability occurs in `micromatch.braces()` in `index.js` because the pattern `.*` will greedily match anything. By passing a malicious payload, the pattern matching will keep backtracking to the input while it doesn't find the closing bracket. As the input size increases, the consumption time will also increase until it causes the application to hang or slow down. There was a merged fix but further testing shows the issue persists. This issue should be mitigated by using a safe pattern that won't start backtracking the regular expression due to greedy matching.\n","url":"https://github.com/advisories/GHSA-952p-6rrq-rcjv"}}} -{"type":"auditAdvisory","data":{"resolution":{"id":1098618,"path":"eslint-plugin-jest>@typescript-eslint/experimental-utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"4.0.5","paths":["@testing-library/jest-dom>@types/testing-library__jest-dom>@types/jest>expect>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>tailwindcss>fast-glob>micromatch","react-scripts>react-dev-utils>globby>fast-glob>micromatch","eslint-plugin-jest>@typescript-eslint/experimental-utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/parser>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest-resolve>jest-haste-map>micromatch","react-scripts>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>@jest/reporters>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>jest-config>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>jest-snapshot>@jest/transform>jest-haste-map>micromatch"]},{"version":"4.0.5","paths":["react-scripts>babel-jest>@jest/transform>micromatch","react-scripts>jest>@jest/core>@jest/transform>micromatch","react-scripts>jest>@jest/core>@jest/reporters>@jest/transform>micromatch","react-scripts>jest>@jest/core>jest-config>babel-jest>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>babel-jest>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>jest-snapshot>@jest/transform>micromatch"]},{"version":"4.0.5","paths":["react-scripts>eslint-webpack-plugin>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>jest-message-util>micromatch","react-scripts>jest>@jest/core>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/reporters>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/reporters>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/globals>@jest/environment>@jest/fake-timers>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>jest-config>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>micromatch","react-scripts>jest>jest-cli>@jest/core>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest-watch-typeahead>jest-watcher>@jest/test-result>@jest/console>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>tailwindcss>micromatch"]},{"version":"4.0.5","paths":["http-proxy-middleware>micromatch","react-scripts>webpack-dev-server>http-proxy-middleware>micromatch"]},{"version":"4.0.7","paths":["micromatch"]}],"metadata":null,"vulnerable_versions":"<4.0.8","module_name":"micromatch","severity":"moderate","github_advisory_id":"GHSA-952p-6rrq-rcjv","cves":["CVE-2024-4067"],"access":"public","patched_versions":">=4.0.8","cvss":{"score":0,"vectorString":null},"updated":"2024-08-23T17:27:31.000Z","recommendation":"Upgrade to version 4.0.8 or later","cwe":["CWE-1333"],"found_by":null,"deleted":null,"id":1098618,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2024-4067\n- https://github.com/micromatch/micromatch/issues/243\n- https://github.com/micromatch/micromatch/pull/247\n- https://devhub.checkmarx.com/cve-details/CVE-2024-4067\n- https://github.com/micromatch/micromatch/blob/2c56a8604b68c1099e7bc0f807ce0865a339747a/index.js#L448\n- https://github.com/micromatch/micromatch/commit/500d5d6f42f0e8dfa1cb5464c6cb420b1b6aaaa0\n- https://github.com/advisories/GHSA-952p-6rrq-rcjv","created":"2024-05-14T18:30:54.000Z","reported_by":null,"title":"Regular Expression Denial of Service (ReDoS) in micromatch","npm_advisory_id":null,"overview":"The NPM package `micromatch` is vulnerable to Regular Expression Denial of Service (ReDoS). The vulnerability occurs in `micromatch.braces()` in `index.js` because the pattern `.*` will greedily match anything. By passing a malicious payload, the pattern matching will keep backtracking to the input while it doesn't find the closing bracket. As the input size increases, the consumption time will also increase until it causes the application to hang or slow down. There was a merged fix but further testing shows the issue persists. This issue should be mitigated by using a safe pattern that won't start backtracking the regular expression due to greedy matching.\n","url":"https://github.com/advisories/GHSA-952p-6rrq-rcjv"}}} -{"type":"auditAdvisory","data":{"resolution":{"id":1098618,"path":"react-scripts>eslint-config-react-app>@typescript-eslint/parser>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"4.0.5","paths":["@testing-library/jest-dom>@types/testing-library__jest-dom>@types/jest>expect>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>tailwindcss>fast-glob>micromatch","react-scripts>react-dev-utils>globby>fast-glob>micromatch","eslint-plugin-jest>@typescript-eslint/experimental-utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/parser>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest-resolve>jest-haste-map>micromatch","react-scripts>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>@jest/reporters>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>jest-config>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>jest-snapshot>@jest/transform>jest-haste-map>micromatch"]},{"version":"4.0.5","paths":["react-scripts>babel-jest>@jest/transform>micromatch","react-scripts>jest>@jest/core>@jest/transform>micromatch","react-scripts>jest>@jest/core>@jest/reporters>@jest/transform>micromatch","react-scripts>jest>@jest/core>jest-config>babel-jest>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>babel-jest>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>jest-snapshot>@jest/transform>micromatch"]},{"version":"4.0.5","paths":["react-scripts>eslint-webpack-plugin>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>jest-message-util>micromatch","react-scripts>jest>@jest/core>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/reporters>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/reporters>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/globals>@jest/environment>@jest/fake-timers>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>jest-config>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>micromatch","react-scripts>jest>jest-cli>@jest/core>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest-watch-typeahead>jest-watcher>@jest/test-result>@jest/console>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>tailwindcss>micromatch"]},{"version":"4.0.5","paths":["http-proxy-middleware>micromatch","react-scripts>webpack-dev-server>http-proxy-middleware>micromatch"]},{"version":"4.0.7","paths":["micromatch"]}],"metadata":null,"vulnerable_versions":"<4.0.8","module_name":"micromatch","severity":"moderate","github_advisory_id":"GHSA-952p-6rrq-rcjv","cves":["CVE-2024-4067"],"access":"public","patched_versions":">=4.0.8","cvss":{"score":0,"vectorString":null},"updated":"2024-08-23T17:27:31.000Z","recommendation":"Upgrade to version 4.0.8 or later","cwe":["CWE-1333"],"found_by":null,"deleted":null,"id":1098618,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2024-4067\n- https://github.com/micromatch/micromatch/issues/243\n- https://github.com/micromatch/micromatch/pull/247\n- https://devhub.checkmarx.com/cve-details/CVE-2024-4067\n- https://github.com/micromatch/micromatch/blob/2c56a8604b68c1099e7bc0f807ce0865a339747a/index.js#L448\n- https://github.com/micromatch/micromatch/commit/500d5d6f42f0e8dfa1cb5464c6cb420b1b6aaaa0\n- https://github.com/advisories/GHSA-952p-6rrq-rcjv","created":"2024-05-14T18:30:54.000Z","reported_by":null,"title":"Regular Expression Denial of Service (ReDoS) in micromatch","npm_advisory_id":null,"overview":"The NPM package `micromatch` is vulnerable to Regular Expression Denial of Service (ReDoS). The vulnerability occurs in `micromatch.braces()` in `index.js` because the pattern `.*` will greedily match anything. By passing a malicious payload, the pattern matching will keep backtracking to the input while it doesn't find the closing bracket. As the input size increases, the consumption time will also increase until it causes the application to hang or slow down. There was a merged fix but further testing shows the issue persists. This issue should be mitigated by using a safe pattern that won't start backtracking the regular expression due to greedy matching.\n","url":"https://github.com/advisories/GHSA-952p-6rrq-rcjv"}}} -{"type":"auditAdvisory","data":{"resolution":{"id":1098618,"path":"react-scripts>eslint-config-react-app>@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"4.0.5","paths":["@testing-library/jest-dom>@types/testing-library__jest-dom>@types/jest>expect>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>tailwindcss>fast-glob>micromatch","react-scripts>react-dev-utils>globby>fast-glob>micromatch","eslint-plugin-jest>@typescript-eslint/experimental-utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/parser>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest-resolve>jest-haste-map>micromatch","react-scripts>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>@jest/reporters>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>jest-config>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>jest-snapshot>@jest/transform>jest-haste-map>micromatch"]},{"version":"4.0.5","paths":["react-scripts>babel-jest>@jest/transform>micromatch","react-scripts>jest>@jest/core>@jest/transform>micromatch","react-scripts>jest>@jest/core>@jest/reporters>@jest/transform>micromatch","react-scripts>jest>@jest/core>jest-config>babel-jest>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>babel-jest>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>jest-snapshot>@jest/transform>micromatch"]},{"version":"4.0.5","paths":["react-scripts>eslint-webpack-plugin>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>jest-message-util>micromatch","react-scripts>jest>@jest/core>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/reporters>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/reporters>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/globals>@jest/environment>@jest/fake-timers>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>jest-config>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>micromatch","react-scripts>jest>jest-cli>@jest/core>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest-watch-typeahead>jest-watcher>@jest/test-result>@jest/console>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>tailwindcss>micromatch"]},{"version":"4.0.5","paths":["http-proxy-middleware>micromatch","react-scripts>webpack-dev-server>http-proxy-middleware>micromatch"]},{"version":"4.0.7","paths":["micromatch"]}],"metadata":null,"vulnerable_versions":"<4.0.8","module_name":"micromatch","severity":"moderate","github_advisory_id":"GHSA-952p-6rrq-rcjv","cves":["CVE-2024-4067"],"access":"public","patched_versions":">=4.0.8","cvss":{"score":0,"vectorString":null},"updated":"2024-08-23T17:27:31.000Z","recommendation":"Upgrade to version 4.0.8 or later","cwe":["CWE-1333"],"found_by":null,"deleted":null,"id":1098618,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2024-4067\n- https://github.com/micromatch/micromatch/issues/243\n- https://github.com/micromatch/micromatch/pull/247\n- https://devhub.checkmarx.com/cve-details/CVE-2024-4067\n- https://github.com/micromatch/micromatch/blob/2c56a8604b68c1099e7bc0f807ce0865a339747a/index.js#L448\n- https://github.com/micromatch/micromatch/commit/500d5d6f42f0e8dfa1cb5464c6cb420b1b6aaaa0\n- https://github.com/advisories/GHSA-952p-6rrq-rcjv","created":"2024-05-14T18:30:54.000Z","reported_by":null,"title":"Regular Expression Denial of Service (ReDoS) in micromatch","npm_advisory_id":null,"overview":"The NPM package `micromatch` is vulnerable to Regular Expression Denial of Service (ReDoS). The vulnerability occurs in `micromatch.braces()` in `index.js` because the pattern `.*` will greedily match anything. By passing a malicious payload, the pattern matching will keep backtracking to the input while it doesn't find the closing bracket. As the input size increases, the consumption time will also increase until it causes the application to hang or slow down. There was a merged fix but further testing shows the issue persists. This issue should be mitigated by using a safe pattern that won't start backtracking the regular expression due to greedy matching.\n","url":"https://github.com/advisories/GHSA-952p-6rrq-rcjv"}}} -{"type":"auditAdvisory","data":{"resolution":{"id":1098618,"path":"react-scripts>eslint-config-react-app>@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"4.0.5","paths":["@testing-library/jest-dom>@types/testing-library__jest-dom>@types/jest>expect>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>tailwindcss>fast-glob>micromatch","react-scripts>react-dev-utils>globby>fast-glob>micromatch","eslint-plugin-jest>@typescript-eslint/experimental-utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/parser>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest-resolve>jest-haste-map>micromatch","react-scripts>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>@jest/reporters>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>jest-config>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>jest-snapshot>@jest/transform>jest-haste-map>micromatch"]},{"version":"4.0.5","paths":["react-scripts>babel-jest>@jest/transform>micromatch","react-scripts>jest>@jest/core>@jest/transform>micromatch","react-scripts>jest>@jest/core>@jest/reporters>@jest/transform>micromatch","react-scripts>jest>@jest/core>jest-config>babel-jest>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>babel-jest>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>jest-snapshot>@jest/transform>micromatch"]},{"version":"4.0.5","paths":["react-scripts>eslint-webpack-plugin>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>jest-message-util>micromatch","react-scripts>jest>@jest/core>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/reporters>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/reporters>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/globals>@jest/environment>@jest/fake-timers>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>jest-config>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>micromatch","react-scripts>jest>jest-cli>@jest/core>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest-watch-typeahead>jest-watcher>@jest/test-result>@jest/console>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>tailwindcss>micromatch"]},{"version":"4.0.5","paths":["http-proxy-middleware>micromatch","react-scripts>webpack-dev-server>http-proxy-middleware>micromatch"]},{"version":"4.0.7","paths":["micromatch"]}],"metadata":null,"vulnerable_versions":"<4.0.8","module_name":"micromatch","severity":"moderate","github_advisory_id":"GHSA-952p-6rrq-rcjv","cves":["CVE-2024-4067"],"access":"public","patched_versions":">=4.0.8","cvss":{"score":0,"vectorString":null},"updated":"2024-08-23T17:27:31.000Z","recommendation":"Upgrade to version 4.0.8 or later","cwe":["CWE-1333"],"found_by":null,"deleted":null,"id":1098618,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2024-4067\n- https://github.com/micromatch/micromatch/issues/243\n- https://github.com/micromatch/micromatch/pull/247\n- https://devhub.checkmarx.com/cve-details/CVE-2024-4067\n- https://github.com/micromatch/micromatch/blob/2c56a8604b68c1099e7bc0f807ce0865a339747a/index.js#L448\n- https://github.com/micromatch/micromatch/commit/500d5d6f42f0e8dfa1cb5464c6cb420b1b6aaaa0\n- https://github.com/advisories/GHSA-952p-6rrq-rcjv","created":"2024-05-14T18:30:54.000Z","reported_by":null,"title":"Regular Expression Denial of Service (ReDoS) in micromatch","npm_advisory_id":null,"overview":"The NPM package `micromatch` is vulnerable to Regular Expression Denial of Service (ReDoS). The vulnerability occurs in `micromatch.braces()` in `index.js` because the pattern `.*` will greedily match anything. By passing a malicious payload, the pattern matching will keep backtracking to the input while it doesn't find the closing bracket. As the input size increases, the consumption time will also increase until it causes the application to hang or slow down. There was a merged fix but further testing shows the issue persists. This issue should be mitigated by using a safe pattern that won't start backtracking the regular expression due to greedy matching.\n","url":"https://github.com/advisories/GHSA-952p-6rrq-rcjv"}}} -{"type":"auditAdvisory","data":{"resolution":{"id":1098618,"path":"react-scripts>jest-resolve>jest-haste-map>micromatch","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"4.0.5","paths":["@testing-library/jest-dom>@types/testing-library__jest-dom>@types/jest>expect>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>tailwindcss>fast-glob>micromatch","react-scripts>react-dev-utils>globby>fast-glob>micromatch","eslint-plugin-jest>@typescript-eslint/experimental-utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/parser>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest-resolve>jest-haste-map>micromatch","react-scripts>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>@jest/reporters>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>jest-config>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>jest-snapshot>@jest/transform>jest-haste-map>micromatch"]},{"version":"4.0.5","paths":["react-scripts>babel-jest>@jest/transform>micromatch","react-scripts>jest>@jest/core>@jest/transform>micromatch","react-scripts>jest>@jest/core>@jest/reporters>@jest/transform>micromatch","react-scripts>jest>@jest/core>jest-config>babel-jest>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>babel-jest>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>jest-snapshot>@jest/transform>micromatch"]},{"version":"4.0.5","paths":["react-scripts>eslint-webpack-plugin>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>jest-message-util>micromatch","react-scripts>jest>@jest/core>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/reporters>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/reporters>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/globals>@jest/environment>@jest/fake-timers>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>jest-config>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>micromatch","react-scripts>jest>jest-cli>@jest/core>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest-watch-typeahead>jest-watcher>@jest/test-result>@jest/console>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>tailwindcss>micromatch"]},{"version":"4.0.5","paths":["http-proxy-middleware>micromatch","react-scripts>webpack-dev-server>http-proxy-middleware>micromatch"]},{"version":"4.0.7","paths":["micromatch"]}],"metadata":null,"vulnerable_versions":"<4.0.8","module_name":"micromatch","severity":"moderate","github_advisory_id":"GHSA-952p-6rrq-rcjv","cves":["CVE-2024-4067"],"access":"public","patched_versions":">=4.0.8","cvss":{"score":0,"vectorString":null},"updated":"2024-08-23T17:27:31.000Z","recommendation":"Upgrade to version 4.0.8 or later","cwe":["CWE-1333"],"found_by":null,"deleted":null,"id":1098618,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2024-4067\n- https://github.com/micromatch/micromatch/issues/243\n- https://github.com/micromatch/micromatch/pull/247\n- https://devhub.checkmarx.com/cve-details/CVE-2024-4067\n- https://github.com/micromatch/micromatch/blob/2c56a8604b68c1099e7bc0f807ce0865a339747a/index.js#L448\n- https://github.com/micromatch/micromatch/commit/500d5d6f42f0e8dfa1cb5464c6cb420b1b6aaaa0\n- https://github.com/advisories/GHSA-952p-6rrq-rcjv","created":"2024-05-14T18:30:54.000Z","reported_by":null,"title":"Regular Expression Denial of Service (ReDoS) in micromatch","npm_advisory_id":null,"overview":"The NPM package `micromatch` is vulnerable to Regular Expression Denial of Service (ReDoS). The vulnerability occurs in `micromatch.braces()` in `index.js` because the pattern `.*` will greedily match anything. By passing a malicious payload, the pattern matching will keep backtracking to the input while it doesn't find the closing bracket. As the input size increases, the consumption time will also increase until it causes the application to hang or slow down. There was a merged fix but further testing shows the issue persists. This issue should be mitigated by using a safe pattern that won't start backtracking the regular expression due to greedy matching.\n","url":"https://github.com/advisories/GHSA-952p-6rrq-rcjv"}}} -{"type":"auditAdvisory","data":{"resolution":{"id":1098618,"path":"react-scripts>babel-jest>@jest/transform>jest-haste-map>micromatch","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"4.0.5","paths":["@testing-library/jest-dom>@types/testing-library__jest-dom>@types/jest>expect>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>tailwindcss>fast-glob>micromatch","react-scripts>react-dev-utils>globby>fast-glob>micromatch","eslint-plugin-jest>@typescript-eslint/experimental-utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/parser>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest-resolve>jest-haste-map>micromatch","react-scripts>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>@jest/reporters>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>jest-config>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>jest-snapshot>@jest/transform>jest-haste-map>micromatch"]},{"version":"4.0.5","paths":["react-scripts>babel-jest>@jest/transform>micromatch","react-scripts>jest>@jest/core>@jest/transform>micromatch","react-scripts>jest>@jest/core>@jest/reporters>@jest/transform>micromatch","react-scripts>jest>@jest/core>jest-config>babel-jest>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>babel-jest>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>jest-snapshot>@jest/transform>micromatch"]},{"version":"4.0.5","paths":["react-scripts>eslint-webpack-plugin>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>jest-message-util>micromatch","react-scripts>jest>@jest/core>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/reporters>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/reporters>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/globals>@jest/environment>@jest/fake-timers>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>jest-config>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>micromatch","react-scripts>jest>jest-cli>@jest/core>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest-watch-typeahead>jest-watcher>@jest/test-result>@jest/console>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>tailwindcss>micromatch"]},{"version":"4.0.5","paths":["http-proxy-middleware>micromatch","react-scripts>webpack-dev-server>http-proxy-middleware>micromatch"]},{"version":"4.0.7","paths":["micromatch"]}],"metadata":null,"vulnerable_versions":"<4.0.8","module_name":"micromatch","severity":"moderate","github_advisory_id":"GHSA-952p-6rrq-rcjv","cves":["CVE-2024-4067"],"access":"public","patched_versions":">=4.0.8","cvss":{"score":0,"vectorString":null},"updated":"2024-08-23T17:27:31.000Z","recommendation":"Upgrade to version 4.0.8 or later","cwe":["CWE-1333"],"found_by":null,"deleted":null,"id":1098618,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2024-4067\n- https://github.com/micromatch/micromatch/issues/243\n- https://github.com/micromatch/micromatch/pull/247\n- https://devhub.checkmarx.com/cve-details/CVE-2024-4067\n- https://github.com/micromatch/micromatch/blob/2c56a8604b68c1099e7bc0f807ce0865a339747a/index.js#L448\n- https://github.com/micromatch/micromatch/commit/500d5d6f42f0e8dfa1cb5464c6cb420b1b6aaaa0\n- https://github.com/advisories/GHSA-952p-6rrq-rcjv","created":"2024-05-14T18:30:54.000Z","reported_by":null,"title":"Regular Expression Denial of Service (ReDoS) in micromatch","npm_advisory_id":null,"overview":"The NPM package `micromatch` is vulnerable to Regular Expression Denial of Service (ReDoS). The vulnerability occurs in `micromatch.braces()` in `index.js` because the pattern `.*` will greedily match anything. By passing a malicious payload, the pattern matching will keep backtracking to the input while it doesn't find the closing bracket. As the input size increases, the consumption time will also increase until it causes the application to hang or slow down. There was a merged fix but further testing shows the issue persists. This issue should be mitigated by using a safe pattern that won't start backtracking the regular expression due to greedy matching.\n","url":"https://github.com/advisories/GHSA-952p-6rrq-rcjv"}}} -{"type":"auditAdvisory","data":{"resolution":{"id":1098618,"path":"react-scripts>jest>@jest/core>@jest/transform>jest-haste-map>micromatch","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"4.0.5","paths":["@testing-library/jest-dom>@types/testing-library__jest-dom>@types/jest>expect>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>tailwindcss>fast-glob>micromatch","react-scripts>react-dev-utils>globby>fast-glob>micromatch","eslint-plugin-jest>@typescript-eslint/experimental-utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/parser>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest-resolve>jest-haste-map>micromatch","react-scripts>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>@jest/reporters>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>jest-config>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>jest-snapshot>@jest/transform>jest-haste-map>micromatch"]},{"version":"4.0.5","paths":["react-scripts>babel-jest>@jest/transform>micromatch","react-scripts>jest>@jest/core>@jest/transform>micromatch","react-scripts>jest>@jest/core>@jest/reporters>@jest/transform>micromatch","react-scripts>jest>@jest/core>jest-config>babel-jest>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>babel-jest>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>jest-snapshot>@jest/transform>micromatch"]},{"version":"4.0.5","paths":["react-scripts>eslint-webpack-plugin>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>jest-message-util>micromatch","react-scripts>jest>@jest/core>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/reporters>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/reporters>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/globals>@jest/environment>@jest/fake-timers>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>jest-config>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>micromatch","react-scripts>jest>jest-cli>@jest/core>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest-watch-typeahead>jest-watcher>@jest/test-result>@jest/console>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>tailwindcss>micromatch"]},{"version":"4.0.5","paths":["http-proxy-middleware>micromatch","react-scripts>webpack-dev-server>http-proxy-middleware>micromatch"]},{"version":"4.0.7","paths":["micromatch"]}],"metadata":null,"vulnerable_versions":"<4.0.8","module_name":"micromatch","severity":"moderate","github_advisory_id":"GHSA-952p-6rrq-rcjv","cves":["CVE-2024-4067"],"access":"public","patched_versions":">=4.0.8","cvss":{"score":0,"vectorString":null},"updated":"2024-08-23T17:27:31.000Z","recommendation":"Upgrade to version 4.0.8 or later","cwe":["CWE-1333"],"found_by":null,"deleted":null,"id":1098618,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2024-4067\n- https://github.com/micromatch/micromatch/issues/243\n- https://github.com/micromatch/micromatch/pull/247\n- https://devhub.checkmarx.com/cve-details/CVE-2024-4067\n- https://github.com/micromatch/micromatch/blob/2c56a8604b68c1099e7bc0f807ce0865a339747a/index.js#L448\n- https://github.com/micromatch/micromatch/commit/500d5d6f42f0e8dfa1cb5464c6cb420b1b6aaaa0\n- https://github.com/advisories/GHSA-952p-6rrq-rcjv","created":"2024-05-14T18:30:54.000Z","reported_by":null,"title":"Regular Expression Denial of Service (ReDoS) in micromatch","npm_advisory_id":null,"overview":"The NPM package `micromatch` is vulnerable to Regular Expression Denial of Service (ReDoS). The vulnerability occurs in `micromatch.braces()` in `index.js` because the pattern `.*` will greedily match anything. By passing a malicious payload, the pattern matching will keep backtracking to the input while it doesn't find the closing bracket. As the input size increases, the consumption time will also increase until it causes the application to hang or slow down. There was a merged fix but further testing shows the issue persists. This issue should be mitigated by using a safe pattern that won't start backtracking the regular expression due to greedy matching.\n","url":"https://github.com/advisories/GHSA-952p-6rrq-rcjv"}}} -{"type":"auditAdvisory","data":{"resolution":{"id":1098618,"path":"react-scripts>jest>@jest/core>@jest/reporters>@jest/transform>jest-haste-map>micromatch","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"4.0.5","paths":["@testing-library/jest-dom>@types/testing-library__jest-dom>@types/jest>expect>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>tailwindcss>fast-glob>micromatch","react-scripts>react-dev-utils>globby>fast-glob>micromatch","eslint-plugin-jest>@typescript-eslint/experimental-utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/parser>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest-resolve>jest-haste-map>micromatch","react-scripts>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>@jest/reporters>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>jest-config>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>jest-snapshot>@jest/transform>jest-haste-map>micromatch"]},{"version":"4.0.5","paths":["react-scripts>babel-jest>@jest/transform>micromatch","react-scripts>jest>@jest/core>@jest/transform>micromatch","react-scripts>jest>@jest/core>@jest/reporters>@jest/transform>micromatch","react-scripts>jest>@jest/core>jest-config>babel-jest>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>babel-jest>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>jest-snapshot>@jest/transform>micromatch"]},{"version":"4.0.5","paths":["react-scripts>eslint-webpack-plugin>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>jest-message-util>micromatch","react-scripts>jest>@jest/core>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/reporters>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/reporters>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/globals>@jest/environment>@jest/fake-timers>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>jest-config>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>micromatch","react-scripts>jest>jest-cli>@jest/core>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest-watch-typeahead>jest-watcher>@jest/test-result>@jest/console>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>tailwindcss>micromatch"]},{"version":"4.0.5","paths":["http-proxy-middleware>micromatch","react-scripts>webpack-dev-server>http-proxy-middleware>micromatch"]},{"version":"4.0.7","paths":["micromatch"]}],"metadata":null,"vulnerable_versions":"<4.0.8","module_name":"micromatch","severity":"moderate","github_advisory_id":"GHSA-952p-6rrq-rcjv","cves":["CVE-2024-4067"],"access":"public","patched_versions":">=4.0.8","cvss":{"score":0,"vectorString":null},"updated":"2024-08-23T17:27:31.000Z","recommendation":"Upgrade to version 4.0.8 or later","cwe":["CWE-1333"],"found_by":null,"deleted":null,"id":1098618,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2024-4067\n- https://github.com/micromatch/micromatch/issues/243\n- https://github.com/micromatch/micromatch/pull/247\n- https://devhub.checkmarx.com/cve-details/CVE-2024-4067\n- https://github.com/micromatch/micromatch/blob/2c56a8604b68c1099e7bc0f807ce0865a339747a/index.js#L448\n- https://github.com/micromatch/micromatch/commit/500d5d6f42f0e8dfa1cb5464c6cb420b1b6aaaa0\n- https://github.com/advisories/GHSA-952p-6rrq-rcjv","created":"2024-05-14T18:30:54.000Z","reported_by":null,"title":"Regular Expression Denial of Service (ReDoS) in micromatch","npm_advisory_id":null,"overview":"The NPM package `micromatch` is vulnerable to Regular Expression Denial of Service (ReDoS). The vulnerability occurs in `micromatch.braces()` in `index.js` because the pattern `.*` will greedily match anything. By passing a malicious payload, the pattern matching will keep backtracking to the input while it doesn't find the closing bracket. As the input size increases, the consumption time will also increase until it causes the application to hang or slow down. There was a merged fix but further testing shows the issue persists. This issue should be mitigated by using a safe pattern that won't start backtracking the regular expression due to greedy matching.\n","url":"https://github.com/advisories/GHSA-952p-6rrq-rcjv"}}} -{"type":"auditAdvisory","data":{"resolution":{"id":1098618,"path":"react-scripts>jest>@jest/core>jest-config>babel-jest>@jest/transform>jest-haste-map>micromatch","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"4.0.5","paths":["@testing-library/jest-dom>@types/testing-library__jest-dom>@types/jest>expect>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>tailwindcss>fast-glob>micromatch","react-scripts>react-dev-utils>globby>fast-glob>micromatch","eslint-plugin-jest>@typescript-eslint/experimental-utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/parser>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest-resolve>jest-haste-map>micromatch","react-scripts>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>@jest/reporters>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>jest-config>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>jest-snapshot>@jest/transform>jest-haste-map>micromatch"]},{"version":"4.0.5","paths":["react-scripts>babel-jest>@jest/transform>micromatch","react-scripts>jest>@jest/core>@jest/transform>micromatch","react-scripts>jest>@jest/core>@jest/reporters>@jest/transform>micromatch","react-scripts>jest>@jest/core>jest-config>babel-jest>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>babel-jest>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>jest-snapshot>@jest/transform>micromatch"]},{"version":"4.0.5","paths":["react-scripts>eslint-webpack-plugin>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>jest-message-util>micromatch","react-scripts>jest>@jest/core>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/reporters>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/reporters>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/globals>@jest/environment>@jest/fake-timers>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>jest-config>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>micromatch","react-scripts>jest>jest-cli>@jest/core>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest-watch-typeahead>jest-watcher>@jest/test-result>@jest/console>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>tailwindcss>micromatch"]},{"version":"4.0.5","paths":["http-proxy-middleware>micromatch","react-scripts>webpack-dev-server>http-proxy-middleware>micromatch"]},{"version":"4.0.7","paths":["micromatch"]}],"metadata":null,"vulnerable_versions":"<4.0.8","module_name":"micromatch","severity":"moderate","github_advisory_id":"GHSA-952p-6rrq-rcjv","cves":["CVE-2024-4067"],"access":"public","patched_versions":">=4.0.8","cvss":{"score":0,"vectorString":null},"updated":"2024-08-23T17:27:31.000Z","recommendation":"Upgrade to version 4.0.8 or later","cwe":["CWE-1333"],"found_by":null,"deleted":null,"id":1098618,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2024-4067\n- https://github.com/micromatch/micromatch/issues/243\n- https://github.com/micromatch/micromatch/pull/247\n- https://devhub.checkmarx.com/cve-details/CVE-2024-4067\n- https://github.com/micromatch/micromatch/blob/2c56a8604b68c1099e7bc0f807ce0865a339747a/index.js#L448\n- https://github.com/micromatch/micromatch/commit/500d5d6f42f0e8dfa1cb5464c6cb420b1b6aaaa0\n- https://github.com/advisories/GHSA-952p-6rrq-rcjv","created":"2024-05-14T18:30:54.000Z","reported_by":null,"title":"Regular Expression Denial of Service (ReDoS) in micromatch","npm_advisory_id":null,"overview":"The NPM package `micromatch` is vulnerable to Regular Expression Denial of Service (ReDoS). The vulnerability occurs in `micromatch.braces()` in `index.js` because the pattern `.*` will greedily match anything. By passing a malicious payload, the pattern matching will keep backtracking to the input while it doesn't find the closing bracket. As the input size increases, the consumption time will also increase until it causes the application to hang or slow down. There was a merged fix but further testing shows the issue persists. This issue should be mitigated by using a safe pattern that won't start backtracking the regular expression due to greedy matching.\n","url":"https://github.com/advisories/GHSA-952p-6rrq-rcjv"}}} -{"type":"auditAdvisory","data":{"resolution":{"id":1098618,"path":"react-scripts>jest>jest-cli>@jest/core>jest-config>babel-jest>@jest/transform>jest-haste-map>micromatch","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"4.0.5","paths":["@testing-library/jest-dom>@types/testing-library__jest-dom>@types/jest>expect>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>tailwindcss>fast-glob>micromatch","react-scripts>react-dev-utils>globby>fast-glob>micromatch","eslint-plugin-jest>@typescript-eslint/experimental-utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/parser>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest-resolve>jest-haste-map>micromatch","react-scripts>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>@jest/reporters>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>jest-config>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>jest-snapshot>@jest/transform>jest-haste-map>micromatch"]},{"version":"4.0.5","paths":["react-scripts>babel-jest>@jest/transform>micromatch","react-scripts>jest>@jest/core>@jest/transform>micromatch","react-scripts>jest>@jest/core>@jest/reporters>@jest/transform>micromatch","react-scripts>jest>@jest/core>jest-config>babel-jest>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>babel-jest>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>jest-snapshot>@jest/transform>micromatch"]},{"version":"4.0.5","paths":["react-scripts>eslint-webpack-plugin>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>jest-message-util>micromatch","react-scripts>jest>@jest/core>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/reporters>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/reporters>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/globals>@jest/environment>@jest/fake-timers>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>jest-config>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>micromatch","react-scripts>jest>jest-cli>@jest/core>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest-watch-typeahead>jest-watcher>@jest/test-result>@jest/console>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>tailwindcss>micromatch"]},{"version":"4.0.5","paths":["http-proxy-middleware>micromatch","react-scripts>webpack-dev-server>http-proxy-middleware>micromatch"]},{"version":"4.0.7","paths":["micromatch"]}],"metadata":null,"vulnerable_versions":"<4.0.8","module_name":"micromatch","severity":"moderate","github_advisory_id":"GHSA-952p-6rrq-rcjv","cves":["CVE-2024-4067"],"access":"public","patched_versions":">=4.0.8","cvss":{"score":0,"vectorString":null},"updated":"2024-08-23T17:27:31.000Z","recommendation":"Upgrade to version 4.0.8 or later","cwe":["CWE-1333"],"found_by":null,"deleted":null,"id":1098618,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2024-4067\n- https://github.com/micromatch/micromatch/issues/243\n- https://github.com/micromatch/micromatch/pull/247\n- https://devhub.checkmarx.com/cve-details/CVE-2024-4067\n- https://github.com/micromatch/micromatch/blob/2c56a8604b68c1099e7bc0f807ce0865a339747a/index.js#L448\n- https://github.com/micromatch/micromatch/commit/500d5d6f42f0e8dfa1cb5464c6cb420b1b6aaaa0\n- https://github.com/advisories/GHSA-952p-6rrq-rcjv","created":"2024-05-14T18:30:54.000Z","reported_by":null,"title":"Regular Expression Denial of Service (ReDoS) in micromatch","npm_advisory_id":null,"overview":"The NPM package `micromatch` is vulnerable to Regular Expression Denial of Service (ReDoS). The vulnerability occurs in `micromatch.braces()` in `index.js` because the pattern `.*` will greedily match anything. By passing a malicious payload, the pattern matching will keep backtracking to the input while it doesn't find the closing bracket. As the input size increases, the consumption time will also increase until it causes the application to hang or slow down. There was a merged fix but further testing shows the issue persists. This issue should be mitigated by using a safe pattern that won't start backtracking the regular expression due to greedy matching.\n","url":"https://github.com/advisories/GHSA-952p-6rrq-rcjv"}}} -{"type":"auditAdvisory","data":{"resolution":{"id":1098618,"path":"react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/transform>jest-haste-map>micromatch","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"4.0.5","paths":["@testing-library/jest-dom>@types/testing-library__jest-dom>@types/jest>expect>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>tailwindcss>fast-glob>micromatch","react-scripts>react-dev-utils>globby>fast-glob>micromatch","eslint-plugin-jest>@typescript-eslint/experimental-utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/parser>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest-resolve>jest-haste-map>micromatch","react-scripts>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>@jest/reporters>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>jest-config>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>jest-snapshot>@jest/transform>jest-haste-map>micromatch"]},{"version":"4.0.5","paths":["react-scripts>babel-jest>@jest/transform>micromatch","react-scripts>jest>@jest/core>@jest/transform>micromatch","react-scripts>jest>@jest/core>@jest/reporters>@jest/transform>micromatch","react-scripts>jest>@jest/core>jest-config>babel-jest>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>babel-jest>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>jest-snapshot>@jest/transform>micromatch"]},{"version":"4.0.5","paths":["react-scripts>eslint-webpack-plugin>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>jest-message-util>micromatch","react-scripts>jest>@jest/core>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/reporters>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/reporters>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/globals>@jest/environment>@jest/fake-timers>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>jest-config>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>micromatch","react-scripts>jest>jest-cli>@jest/core>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest-watch-typeahead>jest-watcher>@jest/test-result>@jest/console>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>tailwindcss>micromatch"]},{"version":"4.0.5","paths":["http-proxy-middleware>micromatch","react-scripts>webpack-dev-server>http-proxy-middleware>micromatch"]},{"version":"4.0.7","paths":["micromatch"]}],"metadata":null,"vulnerable_versions":"<4.0.8","module_name":"micromatch","severity":"moderate","github_advisory_id":"GHSA-952p-6rrq-rcjv","cves":["CVE-2024-4067"],"access":"public","patched_versions":">=4.0.8","cvss":{"score":0,"vectorString":null},"updated":"2024-08-23T17:27:31.000Z","recommendation":"Upgrade to version 4.0.8 or later","cwe":["CWE-1333"],"found_by":null,"deleted":null,"id":1098618,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2024-4067\n- https://github.com/micromatch/micromatch/issues/243\n- https://github.com/micromatch/micromatch/pull/247\n- https://devhub.checkmarx.com/cve-details/CVE-2024-4067\n- https://github.com/micromatch/micromatch/blob/2c56a8604b68c1099e7bc0f807ce0865a339747a/index.js#L448\n- https://github.com/micromatch/micromatch/commit/500d5d6f42f0e8dfa1cb5464c6cb420b1b6aaaa0\n- https://github.com/advisories/GHSA-952p-6rrq-rcjv","created":"2024-05-14T18:30:54.000Z","reported_by":null,"title":"Regular Expression Denial of Service (ReDoS) in micromatch","npm_advisory_id":null,"overview":"The NPM package `micromatch` is vulnerable to Regular Expression Denial of Service (ReDoS). The vulnerability occurs in `micromatch.braces()` in `index.js` because the pattern `.*` will greedily match anything. By passing a malicious payload, the pattern matching will keep backtracking to the input while it doesn't find the closing bracket. As the input size increases, the consumption time will also increase until it causes the application to hang or slow down. There was a merged fix but further testing shows the issue persists. This issue should be mitigated by using a safe pattern that won't start backtracking the regular expression due to greedy matching.\n","url":"https://github.com/advisories/GHSA-952p-6rrq-rcjv"}}} -{"type":"auditAdvisory","data":{"resolution":{"id":1098618,"path":"react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>jest-snapshot>@jest/transform>jest-haste-map>micromatch","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"4.0.5","paths":["@testing-library/jest-dom>@types/testing-library__jest-dom>@types/jest>expect>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>tailwindcss>fast-glob>micromatch","react-scripts>react-dev-utils>globby>fast-glob>micromatch","eslint-plugin-jest>@typescript-eslint/experimental-utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/parser>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest-resolve>jest-haste-map>micromatch","react-scripts>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>@jest/reporters>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>jest-config>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>jest-snapshot>@jest/transform>jest-haste-map>micromatch"]},{"version":"4.0.5","paths":["react-scripts>babel-jest>@jest/transform>micromatch","react-scripts>jest>@jest/core>@jest/transform>micromatch","react-scripts>jest>@jest/core>@jest/reporters>@jest/transform>micromatch","react-scripts>jest>@jest/core>jest-config>babel-jest>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>babel-jest>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>jest-snapshot>@jest/transform>micromatch"]},{"version":"4.0.5","paths":["react-scripts>eslint-webpack-plugin>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>jest-message-util>micromatch","react-scripts>jest>@jest/core>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/reporters>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/reporters>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/globals>@jest/environment>@jest/fake-timers>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>jest-config>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>micromatch","react-scripts>jest>jest-cli>@jest/core>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest-watch-typeahead>jest-watcher>@jest/test-result>@jest/console>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>tailwindcss>micromatch"]},{"version":"4.0.5","paths":["http-proxy-middleware>micromatch","react-scripts>webpack-dev-server>http-proxy-middleware>micromatch"]},{"version":"4.0.7","paths":["micromatch"]}],"metadata":null,"vulnerable_versions":"<4.0.8","module_name":"micromatch","severity":"moderate","github_advisory_id":"GHSA-952p-6rrq-rcjv","cves":["CVE-2024-4067"],"access":"public","patched_versions":">=4.0.8","cvss":{"score":0,"vectorString":null},"updated":"2024-08-23T17:27:31.000Z","recommendation":"Upgrade to version 4.0.8 or later","cwe":["CWE-1333"],"found_by":null,"deleted":null,"id":1098618,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2024-4067\n- https://github.com/micromatch/micromatch/issues/243\n- https://github.com/micromatch/micromatch/pull/247\n- https://devhub.checkmarx.com/cve-details/CVE-2024-4067\n- https://github.com/micromatch/micromatch/blob/2c56a8604b68c1099e7bc0f807ce0865a339747a/index.js#L448\n- https://github.com/micromatch/micromatch/commit/500d5d6f42f0e8dfa1cb5464c6cb420b1b6aaaa0\n- https://github.com/advisories/GHSA-952p-6rrq-rcjv","created":"2024-05-14T18:30:54.000Z","reported_by":null,"title":"Regular Expression Denial of Service (ReDoS) in micromatch","npm_advisory_id":null,"overview":"The NPM package `micromatch` is vulnerable to Regular Expression Denial of Service (ReDoS). The vulnerability occurs in `micromatch.braces()` in `index.js` because the pattern `.*` will greedily match anything. By passing a malicious payload, the pattern matching will keep backtracking to the input while it doesn't find the closing bracket. As the input size increases, the consumption time will also increase until it causes the application to hang or slow down. There was a merged fix but further testing shows the issue persists. This issue should be mitigated by using a safe pattern that won't start backtracking the regular expression due to greedy matching.\n","url":"https://github.com/advisories/GHSA-952p-6rrq-rcjv"}}} -{"type":"auditAdvisory","data":{"resolution":{"id":1098618,"path":"react-scripts>babel-jest>@jest/transform>micromatch","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"4.0.5","paths":["@testing-library/jest-dom>@types/testing-library__jest-dom>@types/jest>expect>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>tailwindcss>fast-glob>micromatch","react-scripts>react-dev-utils>globby>fast-glob>micromatch","eslint-plugin-jest>@typescript-eslint/experimental-utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/parser>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest-resolve>jest-haste-map>micromatch","react-scripts>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>@jest/reporters>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>jest-config>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>jest-snapshot>@jest/transform>jest-haste-map>micromatch"]},{"version":"4.0.5","paths":["react-scripts>babel-jest>@jest/transform>micromatch","react-scripts>jest>@jest/core>@jest/transform>micromatch","react-scripts>jest>@jest/core>@jest/reporters>@jest/transform>micromatch","react-scripts>jest>@jest/core>jest-config>babel-jest>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>babel-jest>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>jest-snapshot>@jest/transform>micromatch"]},{"version":"4.0.5","paths":["react-scripts>eslint-webpack-plugin>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>jest-message-util>micromatch","react-scripts>jest>@jest/core>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/reporters>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/reporters>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/globals>@jest/environment>@jest/fake-timers>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>jest-config>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>micromatch","react-scripts>jest>jest-cli>@jest/core>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest-watch-typeahead>jest-watcher>@jest/test-result>@jest/console>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>tailwindcss>micromatch"]},{"version":"4.0.5","paths":["http-proxy-middleware>micromatch","react-scripts>webpack-dev-server>http-proxy-middleware>micromatch"]},{"version":"4.0.7","paths":["micromatch"]}],"metadata":null,"vulnerable_versions":"<4.0.8","module_name":"micromatch","severity":"moderate","github_advisory_id":"GHSA-952p-6rrq-rcjv","cves":["CVE-2024-4067"],"access":"public","patched_versions":">=4.0.8","cvss":{"score":0,"vectorString":null},"updated":"2024-08-23T17:27:31.000Z","recommendation":"Upgrade to version 4.0.8 or later","cwe":["CWE-1333"],"found_by":null,"deleted":null,"id":1098618,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2024-4067\n- https://github.com/micromatch/micromatch/issues/243\n- https://github.com/micromatch/micromatch/pull/247\n- https://devhub.checkmarx.com/cve-details/CVE-2024-4067\n- https://github.com/micromatch/micromatch/blob/2c56a8604b68c1099e7bc0f807ce0865a339747a/index.js#L448\n- https://github.com/micromatch/micromatch/commit/500d5d6f42f0e8dfa1cb5464c6cb420b1b6aaaa0\n- https://github.com/advisories/GHSA-952p-6rrq-rcjv","created":"2024-05-14T18:30:54.000Z","reported_by":null,"title":"Regular Expression Denial of Service (ReDoS) in micromatch","npm_advisory_id":null,"overview":"The NPM package `micromatch` is vulnerable to Regular Expression Denial of Service (ReDoS). The vulnerability occurs in `micromatch.braces()` in `index.js` because the pattern `.*` will greedily match anything. By passing a malicious payload, the pattern matching will keep backtracking to the input while it doesn't find the closing bracket. As the input size increases, the consumption time will also increase until it causes the application to hang or slow down. There was a merged fix but further testing shows the issue persists. This issue should be mitigated by using a safe pattern that won't start backtracking the regular expression due to greedy matching.\n","url":"https://github.com/advisories/GHSA-952p-6rrq-rcjv"}}} -{"type":"auditAdvisory","data":{"resolution":{"id":1098618,"path":"react-scripts>jest>@jest/core>@jest/transform>micromatch","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"4.0.5","paths":["@testing-library/jest-dom>@types/testing-library__jest-dom>@types/jest>expect>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>tailwindcss>fast-glob>micromatch","react-scripts>react-dev-utils>globby>fast-glob>micromatch","eslint-plugin-jest>@typescript-eslint/experimental-utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/parser>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest-resolve>jest-haste-map>micromatch","react-scripts>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>@jest/reporters>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>jest-config>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>jest-snapshot>@jest/transform>jest-haste-map>micromatch"]},{"version":"4.0.5","paths":["react-scripts>babel-jest>@jest/transform>micromatch","react-scripts>jest>@jest/core>@jest/transform>micromatch","react-scripts>jest>@jest/core>@jest/reporters>@jest/transform>micromatch","react-scripts>jest>@jest/core>jest-config>babel-jest>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>babel-jest>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>jest-snapshot>@jest/transform>micromatch"]},{"version":"4.0.5","paths":["react-scripts>eslint-webpack-plugin>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>jest-message-util>micromatch","react-scripts>jest>@jest/core>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/reporters>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/reporters>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/globals>@jest/environment>@jest/fake-timers>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>jest-config>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>micromatch","react-scripts>jest>jest-cli>@jest/core>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest-watch-typeahead>jest-watcher>@jest/test-result>@jest/console>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>tailwindcss>micromatch"]},{"version":"4.0.5","paths":["http-proxy-middleware>micromatch","react-scripts>webpack-dev-server>http-proxy-middleware>micromatch"]},{"version":"4.0.7","paths":["micromatch"]}],"metadata":null,"vulnerable_versions":"<4.0.8","module_name":"micromatch","severity":"moderate","github_advisory_id":"GHSA-952p-6rrq-rcjv","cves":["CVE-2024-4067"],"access":"public","patched_versions":">=4.0.8","cvss":{"score":0,"vectorString":null},"updated":"2024-08-23T17:27:31.000Z","recommendation":"Upgrade to version 4.0.8 or later","cwe":["CWE-1333"],"found_by":null,"deleted":null,"id":1098618,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2024-4067\n- https://github.com/micromatch/micromatch/issues/243\n- https://github.com/micromatch/micromatch/pull/247\n- https://devhub.checkmarx.com/cve-details/CVE-2024-4067\n- https://github.com/micromatch/micromatch/blob/2c56a8604b68c1099e7bc0f807ce0865a339747a/index.js#L448\n- https://github.com/micromatch/micromatch/commit/500d5d6f42f0e8dfa1cb5464c6cb420b1b6aaaa0\n- https://github.com/advisories/GHSA-952p-6rrq-rcjv","created":"2024-05-14T18:30:54.000Z","reported_by":null,"title":"Regular Expression Denial of Service (ReDoS) in micromatch","npm_advisory_id":null,"overview":"The NPM package `micromatch` is vulnerable to Regular Expression Denial of Service (ReDoS). The vulnerability occurs in `micromatch.braces()` in `index.js` because the pattern `.*` will greedily match anything. By passing a malicious payload, the pattern matching will keep backtracking to the input while it doesn't find the closing bracket. As the input size increases, the consumption time will also increase until it causes the application to hang or slow down. There was a merged fix but further testing shows the issue persists. This issue should be mitigated by using a safe pattern that won't start backtracking the regular expression due to greedy matching.\n","url":"https://github.com/advisories/GHSA-952p-6rrq-rcjv"}}} -{"type":"auditAdvisory","data":{"resolution":{"id":1098618,"path":"react-scripts>jest>@jest/core>@jest/reporters>@jest/transform>micromatch","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"4.0.5","paths":["@testing-library/jest-dom>@types/testing-library__jest-dom>@types/jest>expect>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>tailwindcss>fast-glob>micromatch","react-scripts>react-dev-utils>globby>fast-glob>micromatch","eslint-plugin-jest>@typescript-eslint/experimental-utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/parser>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest-resolve>jest-haste-map>micromatch","react-scripts>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>@jest/reporters>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>jest-config>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>jest-snapshot>@jest/transform>jest-haste-map>micromatch"]},{"version":"4.0.5","paths":["react-scripts>babel-jest>@jest/transform>micromatch","react-scripts>jest>@jest/core>@jest/transform>micromatch","react-scripts>jest>@jest/core>@jest/reporters>@jest/transform>micromatch","react-scripts>jest>@jest/core>jest-config>babel-jest>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>babel-jest>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>jest-snapshot>@jest/transform>micromatch"]},{"version":"4.0.5","paths":["react-scripts>eslint-webpack-plugin>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>jest-message-util>micromatch","react-scripts>jest>@jest/core>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/reporters>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/reporters>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/globals>@jest/environment>@jest/fake-timers>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>jest-config>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>micromatch","react-scripts>jest>jest-cli>@jest/core>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest-watch-typeahead>jest-watcher>@jest/test-result>@jest/console>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>tailwindcss>micromatch"]},{"version":"4.0.5","paths":["http-proxy-middleware>micromatch","react-scripts>webpack-dev-server>http-proxy-middleware>micromatch"]},{"version":"4.0.7","paths":["micromatch"]}],"metadata":null,"vulnerable_versions":"<4.0.8","module_name":"micromatch","severity":"moderate","github_advisory_id":"GHSA-952p-6rrq-rcjv","cves":["CVE-2024-4067"],"access":"public","patched_versions":">=4.0.8","cvss":{"score":0,"vectorString":null},"updated":"2024-08-23T17:27:31.000Z","recommendation":"Upgrade to version 4.0.8 or later","cwe":["CWE-1333"],"found_by":null,"deleted":null,"id":1098618,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2024-4067\n- https://github.com/micromatch/micromatch/issues/243\n- https://github.com/micromatch/micromatch/pull/247\n- https://devhub.checkmarx.com/cve-details/CVE-2024-4067\n- https://github.com/micromatch/micromatch/blob/2c56a8604b68c1099e7bc0f807ce0865a339747a/index.js#L448\n- https://github.com/micromatch/micromatch/commit/500d5d6f42f0e8dfa1cb5464c6cb420b1b6aaaa0\n- https://github.com/advisories/GHSA-952p-6rrq-rcjv","created":"2024-05-14T18:30:54.000Z","reported_by":null,"title":"Regular Expression Denial of Service (ReDoS) in micromatch","npm_advisory_id":null,"overview":"The NPM package `micromatch` is vulnerable to Regular Expression Denial of Service (ReDoS). The vulnerability occurs in `micromatch.braces()` in `index.js` because the pattern `.*` will greedily match anything. By passing a malicious payload, the pattern matching will keep backtracking to the input while it doesn't find the closing bracket. As the input size increases, the consumption time will also increase until it causes the application to hang or slow down. There was a merged fix but further testing shows the issue persists. This issue should be mitigated by using a safe pattern that won't start backtracking the regular expression due to greedy matching.\n","url":"https://github.com/advisories/GHSA-952p-6rrq-rcjv"}}} -{"type":"auditAdvisory","data":{"resolution":{"id":1098618,"path":"react-scripts>jest>@jest/core>jest-config>babel-jest>@jest/transform>micromatch","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"4.0.5","paths":["@testing-library/jest-dom>@types/testing-library__jest-dom>@types/jest>expect>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>tailwindcss>fast-glob>micromatch","react-scripts>react-dev-utils>globby>fast-glob>micromatch","eslint-plugin-jest>@typescript-eslint/experimental-utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/parser>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest-resolve>jest-haste-map>micromatch","react-scripts>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>@jest/reporters>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>jest-config>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>jest-snapshot>@jest/transform>jest-haste-map>micromatch"]},{"version":"4.0.5","paths":["react-scripts>babel-jest>@jest/transform>micromatch","react-scripts>jest>@jest/core>@jest/transform>micromatch","react-scripts>jest>@jest/core>@jest/reporters>@jest/transform>micromatch","react-scripts>jest>@jest/core>jest-config>babel-jest>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>babel-jest>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>jest-snapshot>@jest/transform>micromatch"]},{"version":"4.0.5","paths":["react-scripts>eslint-webpack-plugin>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>jest-message-util>micromatch","react-scripts>jest>@jest/core>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/reporters>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/reporters>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/globals>@jest/environment>@jest/fake-timers>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>jest-config>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>micromatch","react-scripts>jest>jest-cli>@jest/core>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest-watch-typeahead>jest-watcher>@jest/test-result>@jest/console>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>tailwindcss>micromatch"]},{"version":"4.0.5","paths":["http-proxy-middleware>micromatch","react-scripts>webpack-dev-server>http-proxy-middleware>micromatch"]},{"version":"4.0.7","paths":["micromatch"]}],"metadata":null,"vulnerable_versions":"<4.0.8","module_name":"micromatch","severity":"moderate","github_advisory_id":"GHSA-952p-6rrq-rcjv","cves":["CVE-2024-4067"],"access":"public","patched_versions":">=4.0.8","cvss":{"score":0,"vectorString":null},"updated":"2024-08-23T17:27:31.000Z","recommendation":"Upgrade to version 4.0.8 or later","cwe":["CWE-1333"],"found_by":null,"deleted":null,"id":1098618,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2024-4067\n- https://github.com/micromatch/micromatch/issues/243\n- https://github.com/micromatch/micromatch/pull/247\n- https://devhub.checkmarx.com/cve-details/CVE-2024-4067\n- https://github.com/micromatch/micromatch/blob/2c56a8604b68c1099e7bc0f807ce0865a339747a/index.js#L448\n- https://github.com/micromatch/micromatch/commit/500d5d6f42f0e8dfa1cb5464c6cb420b1b6aaaa0\n- https://github.com/advisories/GHSA-952p-6rrq-rcjv","created":"2024-05-14T18:30:54.000Z","reported_by":null,"title":"Regular Expression Denial of Service (ReDoS) in micromatch","npm_advisory_id":null,"overview":"The NPM package `micromatch` is vulnerable to Regular Expression Denial of Service (ReDoS). The vulnerability occurs in `micromatch.braces()` in `index.js` because the pattern `.*` will greedily match anything. By passing a malicious payload, the pattern matching will keep backtracking to the input while it doesn't find the closing bracket. As the input size increases, the consumption time will also increase until it causes the application to hang or slow down. There was a merged fix but further testing shows the issue persists. This issue should be mitigated by using a safe pattern that won't start backtracking the regular expression due to greedy matching.\n","url":"https://github.com/advisories/GHSA-952p-6rrq-rcjv"}}} -{"type":"auditAdvisory","data":{"resolution":{"id":1098618,"path":"react-scripts>jest>jest-cli>@jest/core>jest-config>babel-jest>@jest/transform>micromatch","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"4.0.5","paths":["@testing-library/jest-dom>@types/testing-library__jest-dom>@types/jest>expect>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>tailwindcss>fast-glob>micromatch","react-scripts>react-dev-utils>globby>fast-glob>micromatch","eslint-plugin-jest>@typescript-eslint/experimental-utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/parser>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest-resolve>jest-haste-map>micromatch","react-scripts>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>@jest/reporters>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>jest-config>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>jest-snapshot>@jest/transform>jest-haste-map>micromatch"]},{"version":"4.0.5","paths":["react-scripts>babel-jest>@jest/transform>micromatch","react-scripts>jest>@jest/core>@jest/transform>micromatch","react-scripts>jest>@jest/core>@jest/reporters>@jest/transform>micromatch","react-scripts>jest>@jest/core>jest-config>babel-jest>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>babel-jest>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>jest-snapshot>@jest/transform>micromatch"]},{"version":"4.0.5","paths":["react-scripts>eslint-webpack-plugin>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>jest-message-util>micromatch","react-scripts>jest>@jest/core>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/reporters>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/reporters>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/globals>@jest/environment>@jest/fake-timers>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>jest-config>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>micromatch","react-scripts>jest>jest-cli>@jest/core>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest-watch-typeahead>jest-watcher>@jest/test-result>@jest/console>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>tailwindcss>micromatch"]},{"version":"4.0.5","paths":["http-proxy-middleware>micromatch","react-scripts>webpack-dev-server>http-proxy-middleware>micromatch"]},{"version":"4.0.7","paths":["micromatch"]}],"metadata":null,"vulnerable_versions":"<4.0.8","module_name":"micromatch","severity":"moderate","github_advisory_id":"GHSA-952p-6rrq-rcjv","cves":["CVE-2024-4067"],"access":"public","patched_versions":">=4.0.8","cvss":{"score":0,"vectorString":null},"updated":"2024-08-23T17:27:31.000Z","recommendation":"Upgrade to version 4.0.8 or later","cwe":["CWE-1333"],"found_by":null,"deleted":null,"id":1098618,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2024-4067\n- https://github.com/micromatch/micromatch/issues/243\n- https://github.com/micromatch/micromatch/pull/247\n- https://devhub.checkmarx.com/cve-details/CVE-2024-4067\n- https://github.com/micromatch/micromatch/blob/2c56a8604b68c1099e7bc0f807ce0865a339747a/index.js#L448\n- https://github.com/micromatch/micromatch/commit/500d5d6f42f0e8dfa1cb5464c6cb420b1b6aaaa0\n- https://github.com/advisories/GHSA-952p-6rrq-rcjv","created":"2024-05-14T18:30:54.000Z","reported_by":null,"title":"Regular Expression Denial of Service (ReDoS) in micromatch","npm_advisory_id":null,"overview":"The NPM package `micromatch` is vulnerable to Regular Expression Denial of Service (ReDoS). The vulnerability occurs in `micromatch.braces()` in `index.js` because the pattern `.*` will greedily match anything. By passing a malicious payload, the pattern matching will keep backtracking to the input while it doesn't find the closing bracket. As the input size increases, the consumption time will also increase until it causes the application to hang or slow down. There was a merged fix but further testing shows the issue persists. This issue should be mitigated by using a safe pattern that won't start backtracking the regular expression due to greedy matching.\n","url":"https://github.com/advisories/GHSA-952p-6rrq-rcjv"}}} -{"type":"auditAdvisory","data":{"resolution":{"id":1098618,"path":"react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/transform>micromatch","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"4.0.5","paths":["@testing-library/jest-dom>@types/testing-library__jest-dom>@types/jest>expect>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>tailwindcss>fast-glob>micromatch","react-scripts>react-dev-utils>globby>fast-glob>micromatch","eslint-plugin-jest>@typescript-eslint/experimental-utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/parser>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest-resolve>jest-haste-map>micromatch","react-scripts>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>@jest/reporters>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>jest-config>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>jest-snapshot>@jest/transform>jest-haste-map>micromatch"]},{"version":"4.0.5","paths":["react-scripts>babel-jest>@jest/transform>micromatch","react-scripts>jest>@jest/core>@jest/transform>micromatch","react-scripts>jest>@jest/core>@jest/reporters>@jest/transform>micromatch","react-scripts>jest>@jest/core>jest-config>babel-jest>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>babel-jest>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>jest-snapshot>@jest/transform>micromatch"]},{"version":"4.0.5","paths":["react-scripts>eslint-webpack-plugin>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>jest-message-util>micromatch","react-scripts>jest>@jest/core>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/reporters>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/reporters>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/globals>@jest/environment>@jest/fake-timers>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>jest-config>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>micromatch","react-scripts>jest>jest-cli>@jest/core>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest-watch-typeahead>jest-watcher>@jest/test-result>@jest/console>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>tailwindcss>micromatch"]},{"version":"4.0.5","paths":["http-proxy-middleware>micromatch","react-scripts>webpack-dev-server>http-proxy-middleware>micromatch"]},{"version":"4.0.7","paths":["micromatch"]}],"metadata":null,"vulnerable_versions":"<4.0.8","module_name":"micromatch","severity":"moderate","github_advisory_id":"GHSA-952p-6rrq-rcjv","cves":["CVE-2024-4067"],"access":"public","patched_versions":">=4.0.8","cvss":{"score":0,"vectorString":null},"updated":"2024-08-23T17:27:31.000Z","recommendation":"Upgrade to version 4.0.8 or later","cwe":["CWE-1333"],"found_by":null,"deleted":null,"id":1098618,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2024-4067\n- https://github.com/micromatch/micromatch/issues/243\n- https://github.com/micromatch/micromatch/pull/247\n- https://devhub.checkmarx.com/cve-details/CVE-2024-4067\n- https://github.com/micromatch/micromatch/blob/2c56a8604b68c1099e7bc0f807ce0865a339747a/index.js#L448\n- https://github.com/micromatch/micromatch/commit/500d5d6f42f0e8dfa1cb5464c6cb420b1b6aaaa0\n- https://github.com/advisories/GHSA-952p-6rrq-rcjv","created":"2024-05-14T18:30:54.000Z","reported_by":null,"title":"Regular Expression Denial of Service (ReDoS) in micromatch","npm_advisory_id":null,"overview":"The NPM package `micromatch` is vulnerable to Regular Expression Denial of Service (ReDoS). The vulnerability occurs in `micromatch.braces()` in `index.js` because the pattern `.*` will greedily match anything. By passing a malicious payload, the pattern matching will keep backtracking to the input while it doesn't find the closing bracket. As the input size increases, the consumption time will also increase until it causes the application to hang or slow down. There was a merged fix but further testing shows the issue persists. This issue should be mitigated by using a safe pattern that won't start backtracking the regular expression due to greedy matching.\n","url":"https://github.com/advisories/GHSA-952p-6rrq-rcjv"}}} -{"type":"auditAdvisory","data":{"resolution":{"id":1098618,"path":"react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>jest-snapshot>@jest/transform>micromatch","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"4.0.5","paths":["@testing-library/jest-dom>@types/testing-library__jest-dom>@types/jest>expect>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>tailwindcss>fast-glob>micromatch","react-scripts>react-dev-utils>globby>fast-glob>micromatch","eslint-plugin-jest>@typescript-eslint/experimental-utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/parser>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest-resolve>jest-haste-map>micromatch","react-scripts>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>@jest/reporters>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>jest-config>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>jest-snapshot>@jest/transform>jest-haste-map>micromatch"]},{"version":"4.0.5","paths":["react-scripts>babel-jest>@jest/transform>micromatch","react-scripts>jest>@jest/core>@jest/transform>micromatch","react-scripts>jest>@jest/core>@jest/reporters>@jest/transform>micromatch","react-scripts>jest>@jest/core>jest-config>babel-jest>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>babel-jest>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>jest-snapshot>@jest/transform>micromatch"]},{"version":"4.0.5","paths":["react-scripts>eslint-webpack-plugin>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>jest-message-util>micromatch","react-scripts>jest>@jest/core>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/reporters>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/reporters>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/globals>@jest/environment>@jest/fake-timers>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>jest-config>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>micromatch","react-scripts>jest>jest-cli>@jest/core>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest-watch-typeahead>jest-watcher>@jest/test-result>@jest/console>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>tailwindcss>micromatch"]},{"version":"4.0.5","paths":["http-proxy-middleware>micromatch","react-scripts>webpack-dev-server>http-proxy-middleware>micromatch"]},{"version":"4.0.7","paths":["micromatch"]}],"metadata":null,"vulnerable_versions":"<4.0.8","module_name":"micromatch","severity":"moderate","github_advisory_id":"GHSA-952p-6rrq-rcjv","cves":["CVE-2024-4067"],"access":"public","patched_versions":">=4.0.8","cvss":{"score":0,"vectorString":null},"updated":"2024-08-23T17:27:31.000Z","recommendation":"Upgrade to version 4.0.8 or later","cwe":["CWE-1333"],"found_by":null,"deleted":null,"id":1098618,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2024-4067\n- https://github.com/micromatch/micromatch/issues/243\n- https://github.com/micromatch/micromatch/pull/247\n- https://devhub.checkmarx.com/cve-details/CVE-2024-4067\n- https://github.com/micromatch/micromatch/blob/2c56a8604b68c1099e7bc0f807ce0865a339747a/index.js#L448\n- https://github.com/micromatch/micromatch/commit/500d5d6f42f0e8dfa1cb5464c6cb420b1b6aaaa0\n- https://github.com/advisories/GHSA-952p-6rrq-rcjv","created":"2024-05-14T18:30:54.000Z","reported_by":null,"title":"Regular Expression Denial of Service (ReDoS) in micromatch","npm_advisory_id":null,"overview":"The NPM package `micromatch` is vulnerable to Regular Expression Denial of Service (ReDoS). The vulnerability occurs in `micromatch.braces()` in `index.js` because the pattern `.*` will greedily match anything. By passing a malicious payload, the pattern matching will keep backtracking to the input while it doesn't find the closing bracket. As the input size increases, the consumption time will also increase until it causes the application to hang or slow down. There was a merged fix but further testing shows the issue persists. This issue should be mitigated by using a safe pattern that won't start backtracking the regular expression due to greedy matching.\n","url":"https://github.com/advisories/GHSA-952p-6rrq-rcjv"}}} -{"type":"auditAdvisory","data":{"resolution":{"id":1098618,"path":"react-scripts>eslint-webpack-plugin>micromatch","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"4.0.5","paths":["@testing-library/jest-dom>@types/testing-library__jest-dom>@types/jest>expect>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>tailwindcss>fast-glob>micromatch","react-scripts>react-dev-utils>globby>fast-glob>micromatch","eslint-plugin-jest>@typescript-eslint/experimental-utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/parser>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest-resolve>jest-haste-map>micromatch","react-scripts>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>@jest/reporters>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>jest-config>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>jest-snapshot>@jest/transform>jest-haste-map>micromatch"]},{"version":"4.0.5","paths":["react-scripts>babel-jest>@jest/transform>micromatch","react-scripts>jest>@jest/core>@jest/transform>micromatch","react-scripts>jest>@jest/core>@jest/reporters>@jest/transform>micromatch","react-scripts>jest>@jest/core>jest-config>babel-jest>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>babel-jest>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>jest-snapshot>@jest/transform>micromatch"]},{"version":"4.0.5","paths":["react-scripts>eslint-webpack-plugin>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>jest-message-util>micromatch","react-scripts>jest>@jest/core>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/reporters>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/reporters>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/globals>@jest/environment>@jest/fake-timers>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>jest-config>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>micromatch","react-scripts>jest>jest-cli>@jest/core>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest-watch-typeahead>jest-watcher>@jest/test-result>@jest/console>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>tailwindcss>micromatch"]},{"version":"4.0.5","paths":["http-proxy-middleware>micromatch","react-scripts>webpack-dev-server>http-proxy-middleware>micromatch"]},{"version":"4.0.7","paths":["micromatch"]}],"metadata":null,"vulnerable_versions":"<4.0.8","module_name":"micromatch","severity":"moderate","github_advisory_id":"GHSA-952p-6rrq-rcjv","cves":["CVE-2024-4067"],"access":"public","patched_versions":">=4.0.8","cvss":{"score":0,"vectorString":null},"updated":"2024-08-23T17:27:31.000Z","recommendation":"Upgrade to version 4.0.8 or later","cwe":["CWE-1333"],"found_by":null,"deleted":null,"id":1098618,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2024-4067\n- https://github.com/micromatch/micromatch/issues/243\n- https://github.com/micromatch/micromatch/pull/247\n- https://devhub.checkmarx.com/cve-details/CVE-2024-4067\n- https://github.com/micromatch/micromatch/blob/2c56a8604b68c1099e7bc0f807ce0865a339747a/index.js#L448\n- https://github.com/micromatch/micromatch/commit/500d5d6f42f0e8dfa1cb5464c6cb420b1b6aaaa0\n- https://github.com/advisories/GHSA-952p-6rrq-rcjv","created":"2024-05-14T18:30:54.000Z","reported_by":null,"title":"Regular Expression Denial of Service (ReDoS) in micromatch","npm_advisory_id":null,"overview":"The NPM package `micromatch` is vulnerable to Regular Expression Denial of Service (ReDoS). The vulnerability occurs in `micromatch.braces()` in `index.js` because the pattern `.*` will greedily match anything. By passing a malicious payload, the pattern matching will keep backtracking to the input while it doesn't find the closing bracket. As the input size increases, the consumption time will also increase until it causes the application to hang or slow down. There was a merged fix but further testing shows the issue persists. This issue should be mitigated by using a safe pattern that won't start backtracking the regular expression due to greedy matching.\n","url":"https://github.com/advisories/GHSA-952p-6rrq-rcjv"}}} -{"type":"auditAdvisory","data":{"resolution":{"id":1098618,"path":"react-scripts>jest>@jest/core>jest-message-util>micromatch","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"4.0.5","paths":["@testing-library/jest-dom>@types/testing-library__jest-dom>@types/jest>expect>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>tailwindcss>fast-glob>micromatch","react-scripts>react-dev-utils>globby>fast-glob>micromatch","eslint-plugin-jest>@typescript-eslint/experimental-utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/parser>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest-resolve>jest-haste-map>micromatch","react-scripts>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>@jest/reporters>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>jest-config>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>jest-snapshot>@jest/transform>jest-haste-map>micromatch"]},{"version":"4.0.5","paths":["react-scripts>babel-jest>@jest/transform>micromatch","react-scripts>jest>@jest/core>@jest/transform>micromatch","react-scripts>jest>@jest/core>@jest/reporters>@jest/transform>micromatch","react-scripts>jest>@jest/core>jest-config>babel-jest>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>babel-jest>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>jest-snapshot>@jest/transform>micromatch"]},{"version":"4.0.5","paths":["react-scripts>eslint-webpack-plugin>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>jest-message-util>micromatch","react-scripts>jest>@jest/core>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/reporters>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/reporters>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/globals>@jest/environment>@jest/fake-timers>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>jest-config>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>micromatch","react-scripts>jest>jest-cli>@jest/core>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest-watch-typeahead>jest-watcher>@jest/test-result>@jest/console>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>tailwindcss>micromatch"]},{"version":"4.0.5","paths":["http-proxy-middleware>micromatch","react-scripts>webpack-dev-server>http-proxy-middleware>micromatch"]},{"version":"4.0.7","paths":["micromatch"]}],"metadata":null,"vulnerable_versions":"<4.0.8","module_name":"micromatch","severity":"moderate","github_advisory_id":"GHSA-952p-6rrq-rcjv","cves":["CVE-2024-4067"],"access":"public","patched_versions":">=4.0.8","cvss":{"score":0,"vectorString":null},"updated":"2024-08-23T17:27:31.000Z","recommendation":"Upgrade to version 4.0.8 or later","cwe":["CWE-1333"],"found_by":null,"deleted":null,"id":1098618,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2024-4067\n- https://github.com/micromatch/micromatch/issues/243\n- https://github.com/micromatch/micromatch/pull/247\n- https://devhub.checkmarx.com/cve-details/CVE-2024-4067\n- https://github.com/micromatch/micromatch/blob/2c56a8604b68c1099e7bc0f807ce0865a339747a/index.js#L448\n- https://github.com/micromatch/micromatch/commit/500d5d6f42f0e8dfa1cb5464c6cb420b1b6aaaa0\n- https://github.com/advisories/GHSA-952p-6rrq-rcjv","created":"2024-05-14T18:30:54.000Z","reported_by":null,"title":"Regular Expression Denial of Service (ReDoS) in micromatch","npm_advisory_id":null,"overview":"The NPM package `micromatch` is vulnerable to Regular Expression Denial of Service (ReDoS). The vulnerability occurs in `micromatch.braces()` in `index.js` because the pattern `.*` will greedily match anything. By passing a malicious payload, the pattern matching will keep backtracking to the input while it doesn't find the closing bracket. As the input size increases, the consumption time will also increase until it causes the application to hang or slow down. There was a merged fix but further testing shows the issue persists. This issue should be mitigated by using a safe pattern that won't start backtracking the regular expression due to greedy matching.\n","url":"https://github.com/advisories/GHSA-952p-6rrq-rcjv"}}} -{"type":"auditAdvisory","data":{"resolution":{"id":1098618,"path":"react-scripts>jest>@jest/core>@jest/console>jest-message-util>micromatch","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"4.0.5","paths":["@testing-library/jest-dom>@types/testing-library__jest-dom>@types/jest>expect>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>tailwindcss>fast-glob>micromatch","react-scripts>react-dev-utils>globby>fast-glob>micromatch","eslint-plugin-jest>@typescript-eslint/experimental-utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/parser>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest-resolve>jest-haste-map>micromatch","react-scripts>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>@jest/reporters>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>jest-config>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>jest-snapshot>@jest/transform>jest-haste-map>micromatch"]},{"version":"4.0.5","paths":["react-scripts>babel-jest>@jest/transform>micromatch","react-scripts>jest>@jest/core>@jest/transform>micromatch","react-scripts>jest>@jest/core>@jest/reporters>@jest/transform>micromatch","react-scripts>jest>@jest/core>jest-config>babel-jest>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>babel-jest>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>jest-snapshot>@jest/transform>micromatch"]},{"version":"4.0.5","paths":["react-scripts>eslint-webpack-plugin>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>jest-message-util>micromatch","react-scripts>jest>@jest/core>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/reporters>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/reporters>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/globals>@jest/environment>@jest/fake-timers>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>jest-config>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>micromatch","react-scripts>jest>jest-cli>@jest/core>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest-watch-typeahead>jest-watcher>@jest/test-result>@jest/console>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>tailwindcss>micromatch"]},{"version":"4.0.5","paths":["http-proxy-middleware>micromatch","react-scripts>webpack-dev-server>http-proxy-middleware>micromatch"]},{"version":"4.0.7","paths":["micromatch"]}],"metadata":null,"vulnerable_versions":"<4.0.8","module_name":"micromatch","severity":"moderate","github_advisory_id":"GHSA-952p-6rrq-rcjv","cves":["CVE-2024-4067"],"access":"public","patched_versions":">=4.0.8","cvss":{"score":0,"vectorString":null},"updated":"2024-08-23T17:27:31.000Z","recommendation":"Upgrade to version 4.0.8 or later","cwe":["CWE-1333"],"found_by":null,"deleted":null,"id":1098618,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2024-4067\n- https://github.com/micromatch/micromatch/issues/243\n- https://github.com/micromatch/micromatch/pull/247\n- https://devhub.checkmarx.com/cve-details/CVE-2024-4067\n- https://github.com/micromatch/micromatch/blob/2c56a8604b68c1099e7bc0f807ce0865a339747a/index.js#L448\n- https://github.com/micromatch/micromatch/commit/500d5d6f42f0e8dfa1cb5464c6cb420b1b6aaaa0\n- https://github.com/advisories/GHSA-952p-6rrq-rcjv","created":"2024-05-14T18:30:54.000Z","reported_by":null,"title":"Regular Expression Denial of Service (ReDoS) in micromatch","npm_advisory_id":null,"overview":"The NPM package `micromatch` is vulnerable to Regular Expression Denial of Service (ReDoS). The vulnerability occurs in `micromatch.braces()` in `index.js` because the pattern `.*` will greedily match anything. By passing a malicious payload, the pattern matching will keep backtracking to the input while it doesn't find the closing bracket. As the input size increases, the consumption time will also increase until it causes the application to hang or slow down. There was a merged fix but further testing shows the issue persists. This issue should be mitigated by using a safe pattern that won't start backtracking the regular expression due to greedy matching.\n","url":"https://github.com/advisories/GHSA-952p-6rrq-rcjv"}}} -{"type":"auditAdvisory","data":{"resolution":{"id":1098618,"path":"react-scripts>jest>jest-cli>@jest/core>@jest/console>jest-message-util>micromatch","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"4.0.5","paths":["@testing-library/jest-dom>@types/testing-library__jest-dom>@types/jest>expect>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>tailwindcss>fast-glob>micromatch","react-scripts>react-dev-utils>globby>fast-glob>micromatch","eslint-plugin-jest>@typescript-eslint/experimental-utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/parser>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest-resolve>jest-haste-map>micromatch","react-scripts>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>@jest/reporters>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>jest-config>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>jest-snapshot>@jest/transform>jest-haste-map>micromatch"]},{"version":"4.0.5","paths":["react-scripts>babel-jest>@jest/transform>micromatch","react-scripts>jest>@jest/core>@jest/transform>micromatch","react-scripts>jest>@jest/core>@jest/reporters>@jest/transform>micromatch","react-scripts>jest>@jest/core>jest-config>babel-jest>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>babel-jest>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>jest-snapshot>@jest/transform>micromatch"]},{"version":"4.0.5","paths":["react-scripts>eslint-webpack-plugin>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>jest-message-util>micromatch","react-scripts>jest>@jest/core>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/reporters>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/reporters>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/globals>@jest/environment>@jest/fake-timers>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>jest-config>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>micromatch","react-scripts>jest>jest-cli>@jest/core>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest-watch-typeahead>jest-watcher>@jest/test-result>@jest/console>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>tailwindcss>micromatch"]},{"version":"4.0.5","paths":["http-proxy-middleware>micromatch","react-scripts>webpack-dev-server>http-proxy-middleware>micromatch"]},{"version":"4.0.7","paths":["micromatch"]}],"metadata":null,"vulnerable_versions":"<4.0.8","module_name":"micromatch","severity":"moderate","github_advisory_id":"GHSA-952p-6rrq-rcjv","cves":["CVE-2024-4067"],"access":"public","patched_versions":">=4.0.8","cvss":{"score":0,"vectorString":null},"updated":"2024-08-23T17:27:31.000Z","recommendation":"Upgrade to version 4.0.8 or later","cwe":["CWE-1333"],"found_by":null,"deleted":null,"id":1098618,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2024-4067\n- https://github.com/micromatch/micromatch/issues/243\n- https://github.com/micromatch/micromatch/pull/247\n- https://devhub.checkmarx.com/cve-details/CVE-2024-4067\n- https://github.com/micromatch/micromatch/blob/2c56a8604b68c1099e7bc0f807ce0865a339747a/index.js#L448\n- https://github.com/micromatch/micromatch/commit/500d5d6f42f0e8dfa1cb5464c6cb420b1b6aaaa0\n- https://github.com/advisories/GHSA-952p-6rrq-rcjv","created":"2024-05-14T18:30:54.000Z","reported_by":null,"title":"Regular Expression Denial of Service (ReDoS) in micromatch","npm_advisory_id":null,"overview":"The NPM package `micromatch` is vulnerable to Regular Expression Denial of Service (ReDoS). The vulnerability occurs in `micromatch.braces()` in `index.js` because the pattern `.*` will greedily match anything. By passing a malicious payload, the pattern matching will keep backtracking to the input while it doesn't find the closing bracket. As the input size increases, the consumption time will also increase until it causes the application to hang or slow down. There was a merged fix but further testing shows the issue persists. This issue should be mitigated by using a safe pattern that won't start backtracking the regular expression due to greedy matching.\n","url":"https://github.com/advisories/GHSA-952p-6rrq-rcjv"}}} -{"type":"auditAdvisory","data":{"resolution":{"id":1098618,"path":"react-scripts>jest>jest-cli>@jest/core>@jest/reporters>@jest/console>jest-message-util>micromatch","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"4.0.5","paths":["@testing-library/jest-dom>@types/testing-library__jest-dom>@types/jest>expect>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>tailwindcss>fast-glob>micromatch","react-scripts>react-dev-utils>globby>fast-glob>micromatch","eslint-plugin-jest>@typescript-eslint/experimental-utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/parser>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest-resolve>jest-haste-map>micromatch","react-scripts>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>@jest/reporters>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>jest-config>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>jest-snapshot>@jest/transform>jest-haste-map>micromatch"]},{"version":"4.0.5","paths":["react-scripts>babel-jest>@jest/transform>micromatch","react-scripts>jest>@jest/core>@jest/transform>micromatch","react-scripts>jest>@jest/core>@jest/reporters>@jest/transform>micromatch","react-scripts>jest>@jest/core>jest-config>babel-jest>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>babel-jest>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>jest-snapshot>@jest/transform>micromatch"]},{"version":"4.0.5","paths":["react-scripts>eslint-webpack-plugin>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>jest-message-util>micromatch","react-scripts>jest>@jest/core>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/reporters>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/reporters>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/globals>@jest/environment>@jest/fake-timers>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>jest-config>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>micromatch","react-scripts>jest>jest-cli>@jest/core>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest-watch-typeahead>jest-watcher>@jest/test-result>@jest/console>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>tailwindcss>micromatch"]},{"version":"4.0.5","paths":["http-proxy-middleware>micromatch","react-scripts>webpack-dev-server>http-proxy-middleware>micromatch"]},{"version":"4.0.7","paths":["micromatch"]}],"metadata":null,"vulnerable_versions":"<4.0.8","module_name":"micromatch","severity":"moderate","github_advisory_id":"GHSA-952p-6rrq-rcjv","cves":["CVE-2024-4067"],"access":"public","patched_versions":">=4.0.8","cvss":{"score":0,"vectorString":null},"updated":"2024-08-23T17:27:31.000Z","recommendation":"Upgrade to version 4.0.8 or later","cwe":["CWE-1333"],"found_by":null,"deleted":null,"id":1098618,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2024-4067\n- https://github.com/micromatch/micromatch/issues/243\n- https://github.com/micromatch/micromatch/pull/247\n- https://devhub.checkmarx.com/cve-details/CVE-2024-4067\n- https://github.com/micromatch/micromatch/blob/2c56a8604b68c1099e7bc0f807ce0865a339747a/index.js#L448\n- https://github.com/micromatch/micromatch/commit/500d5d6f42f0e8dfa1cb5464c6cb420b1b6aaaa0\n- https://github.com/advisories/GHSA-952p-6rrq-rcjv","created":"2024-05-14T18:30:54.000Z","reported_by":null,"title":"Regular Expression Denial of Service (ReDoS) in micromatch","npm_advisory_id":null,"overview":"The NPM package `micromatch` is vulnerable to Regular Expression Denial of Service (ReDoS). The vulnerability occurs in `micromatch.braces()` in `index.js` because the pattern `.*` will greedily match anything. By passing a malicious payload, the pattern matching will keep backtracking to the input while it doesn't find the closing bracket. As the input size increases, the consumption time will also increase until it causes the application to hang or slow down. There was a merged fix but further testing shows the issue persists. This issue should be mitigated by using a safe pattern that won't start backtracking the regular expression due to greedy matching.\n","url":"https://github.com/advisories/GHSA-952p-6rrq-rcjv"}}} -{"type":"auditAdvisory","data":{"resolution":{"id":1098618,"path":"react-scripts>jest>jest-cli>@jest/core>@jest/reporters>@jest/test-result>@jest/console>jest-message-util>micromatch","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"4.0.5","paths":["@testing-library/jest-dom>@types/testing-library__jest-dom>@types/jest>expect>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>tailwindcss>fast-glob>micromatch","react-scripts>react-dev-utils>globby>fast-glob>micromatch","eslint-plugin-jest>@typescript-eslint/experimental-utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/parser>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest-resolve>jest-haste-map>micromatch","react-scripts>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>@jest/reporters>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>jest-config>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>jest-snapshot>@jest/transform>jest-haste-map>micromatch"]},{"version":"4.0.5","paths":["react-scripts>babel-jest>@jest/transform>micromatch","react-scripts>jest>@jest/core>@jest/transform>micromatch","react-scripts>jest>@jest/core>@jest/reporters>@jest/transform>micromatch","react-scripts>jest>@jest/core>jest-config>babel-jest>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>babel-jest>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>jest-snapshot>@jest/transform>micromatch"]},{"version":"4.0.5","paths":["react-scripts>eslint-webpack-plugin>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>jest-message-util>micromatch","react-scripts>jest>@jest/core>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/reporters>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/reporters>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/globals>@jest/environment>@jest/fake-timers>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>jest-config>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>micromatch","react-scripts>jest>jest-cli>@jest/core>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest-watch-typeahead>jest-watcher>@jest/test-result>@jest/console>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>tailwindcss>micromatch"]},{"version":"4.0.5","paths":["http-proxy-middleware>micromatch","react-scripts>webpack-dev-server>http-proxy-middleware>micromatch"]},{"version":"4.0.7","paths":["micromatch"]}],"metadata":null,"vulnerable_versions":"<4.0.8","module_name":"micromatch","severity":"moderate","github_advisory_id":"GHSA-952p-6rrq-rcjv","cves":["CVE-2024-4067"],"access":"public","patched_versions":">=4.0.8","cvss":{"score":0,"vectorString":null},"updated":"2024-08-23T17:27:31.000Z","recommendation":"Upgrade to version 4.0.8 or later","cwe":["CWE-1333"],"found_by":null,"deleted":null,"id":1098618,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2024-4067\n- https://github.com/micromatch/micromatch/issues/243\n- https://github.com/micromatch/micromatch/pull/247\n- https://devhub.checkmarx.com/cve-details/CVE-2024-4067\n- https://github.com/micromatch/micromatch/blob/2c56a8604b68c1099e7bc0f807ce0865a339747a/index.js#L448\n- https://github.com/micromatch/micromatch/commit/500d5d6f42f0e8dfa1cb5464c6cb420b1b6aaaa0\n- https://github.com/advisories/GHSA-952p-6rrq-rcjv","created":"2024-05-14T18:30:54.000Z","reported_by":null,"title":"Regular Expression Denial of Service (ReDoS) in micromatch","npm_advisory_id":null,"overview":"The NPM package `micromatch` is vulnerable to Regular Expression Denial of Service (ReDoS). The vulnerability occurs in `micromatch.braces()` in `index.js` because the pattern `.*` will greedily match anything. By passing a malicious payload, the pattern matching will keep backtracking to the input while it doesn't find the closing bracket. As the input size increases, the consumption time will also increase until it causes the application to hang or slow down. There was a merged fix but further testing shows the issue persists. This issue should be mitigated by using a safe pattern that won't start backtracking the regular expression due to greedy matching.\n","url":"https://github.com/advisories/GHSA-952p-6rrq-rcjv"}}} -{"type":"auditAdvisory","data":{"resolution":{"id":1098618,"path":"react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>@jest/test-result>@jest/console>jest-message-util>micromatch","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"4.0.5","paths":["@testing-library/jest-dom>@types/testing-library__jest-dom>@types/jest>expect>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>tailwindcss>fast-glob>micromatch","react-scripts>react-dev-utils>globby>fast-glob>micromatch","eslint-plugin-jest>@typescript-eslint/experimental-utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/parser>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest-resolve>jest-haste-map>micromatch","react-scripts>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>@jest/reporters>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>jest-config>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>jest-snapshot>@jest/transform>jest-haste-map>micromatch"]},{"version":"4.0.5","paths":["react-scripts>babel-jest>@jest/transform>micromatch","react-scripts>jest>@jest/core>@jest/transform>micromatch","react-scripts>jest>@jest/core>@jest/reporters>@jest/transform>micromatch","react-scripts>jest>@jest/core>jest-config>babel-jest>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>babel-jest>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>jest-snapshot>@jest/transform>micromatch"]},{"version":"4.0.5","paths":["react-scripts>eslint-webpack-plugin>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>jest-message-util>micromatch","react-scripts>jest>@jest/core>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/reporters>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/reporters>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/globals>@jest/environment>@jest/fake-timers>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>jest-config>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>micromatch","react-scripts>jest>jest-cli>@jest/core>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest-watch-typeahead>jest-watcher>@jest/test-result>@jest/console>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>tailwindcss>micromatch"]},{"version":"4.0.5","paths":["http-proxy-middleware>micromatch","react-scripts>webpack-dev-server>http-proxy-middleware>micromatch"]},{"version":"4.0.7","paths":["micromatch"]}],"metadata":null,"vulnerable_versions":"<4.0.8","module_name":"micromatch","severity":"moderate","github_advisory_id":"GHSA-952p-6rrq-rcjv","cves":["CVE-2024-4067"],"access":"public","patched_versions":">=4.0.8","cvss":{"score":0,"vectorString":null},"updated":"2024-08-23T17:27:31.000Z","recommendation":"Upgrade to version 4.0.8 or later","cwe":["CWE-1333"],"found_by":null,"deleted":null,"id":1098618,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2024-4067\n- https://github.com/micromatch/micromatch/issues/243\n- https://github.com/micromatch/micromatch/pull/247\n- https://devhub.checkmarx.com/cve-details/CVE-2024-4067\n- https://github.com/micromatch/micromatch/blob/2c56a8604b68c1099e7bc0f807ce0865a339747a/index.js#L448\n- https://github.com/micromatch/micromatch/commit/500d5d6f42f0e8dfa1cb5464c6cb420b1b6aaaa0\n- https://github.com/advisories/GHSA-952p-6rrq-rcjv","created":"2024-05-14T18:30:54.000Z","reported_by":null,"title":"Regular Expression Denial of Service (ReDoS) in micromatch","npm_advisory_id":null,"overview":"The NPM package `micromatch` is vulnerable to Regular Expression Denial of Service (ReDoS). The vulnerability occurs in `micromatch.braces()` in `index.js` because the pattern `.*` will greedily match anything. By passing a malicious payload, the pattern matching will keep backtracking to the input while it doesn't find the closing bracket. As the input size increases, the consumption time will also increase until it causes the application to hang or slow down. There was a merged fix but further testing shows the issue persists. This issue should be mitigated by using a safe pattern that won't start backtracking the regular expression due to greedy matching.\n","url":"https://github.com/advisories/GHSA-952p-6rrq-rcjv"}}} -{"type":"auditAdvisory","data":{"resolution":{"id":1098618,"path":"react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/test-result>@jest/console>jest-message-util>micromatch","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"4.0.5","paths":["@testing-library/jest-dom>@types/testing-library__jest-dom>@types/jest>expect>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>tailwindcss>fast-glob>micromatch","react-scripts>react-dev-utils>globby>fast-glob>micromatch","eslint-plugin-jest>@typescript-eslint/experimental-utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/parser>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest-resolve>jest-haste-map>micromatch","react-scripts>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>@jest/reporters>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>jest-config>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>jest-snapshot>@jest/transform>jest-haste-map>micromatch"]},{"version":"4.0.5","paths":["react-scripts>babel-jest>@jest/transform>micromatch","react-scripts>jest>@jest/core>@jest/transform>micromatch","react-scripts>jest>@jest/core>@jest/reporters>@jest/transform>micromatch","react-scripts>jest>@jest/core>jest-config>babel-jest>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>babel-jest>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>jest-snapshot>@jest/transform>micromatch"]},{"version":"4.0.5","paths":["react-scripts>eslint-webpack-plugin>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>jest-message-util>micromatch","react-scripts>jest>@jest/core>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/reporters>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/reporters>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/globals>@jest/environment>@jest/fake-timers>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>jest-config>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>micromatch","react-scripts>jest>jest-cli>@jest/core>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest-watch-typeahead>jest-watcher>@jest/test-result>@jest/console>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>tailwindcss>micromatch"]},{"version":"4.0.5","paths":["http-proxy-middleware>micromatch","react-scripts>webpack-dev-server>http-proxy-middleware>micromatch"]},{"version":"4.0.7","paths":["micromatch"]}],"metadata":null,"vulnerable_versions":"<4.0.8","module_name":"micromatch","severity":"moderate","github_advisory_id":"GHSA-952p-6rrq-rcjv","cves":["CVE-2024-4067"],"access":"public","patched_versions":">=4.0.8","cvss":{"score":0,"vectorString":null},"updated":"2024-08-23T17:27:31.000Z","recommendation":"Upgrade to version 4.0.8 or later","cwe":["CWE-1333"],"found_by":null,"deleted":null,"id":1098618,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2024-4067\n- https://github.com/micromatch/micromatch/issues/243\n- https://github.com/micromatch/micromatch/pull/247\n- https://devhub.checkmarx.com/cve-details/CVE-2024-4067\n- https://github.com/micromatch/micromatch/blob/2c56a8604b68c1099e7bc0f807ce0865a339747a/index.js#L448\n- https://github.com/micromatch/micromatch/commit/500d5d6f42f0e8dfa1cb5464c6cb420b1b6aaaa0\n- https://github.com/advisories/GHSA-952p-6rrq-rcjv","created":"2024-05-14T18:30:54.000Z","reported_by":null,"title":"Regular Expression Denial of Service (ReDoS) in micromatch","npm_advisory_id":null,"overview":"The NPM package `micromatch` is vulnerable to Regular Expression Denial of Service (ReDoS). The vulnerability occurs in `micromatch.braces()` in `index.js` because the pattern `.*` will greedily match anything. By passing a malicious payload, the pattern matching will keep backtracking to the input while it doesn't find the closing bracket. As the input size increases, the consumption time will also increase until it causes the application to hang or slow down. There was a merged fix but further testing shows the issue persists. This issue should be mitigated by using a safe pattern that won't start backtracking the regular expression due to greedy matching.\n","url":"https://github.com/advisories/GHSA-952p-6rrq-rcjv"}}} -{"type":"auditAdvisory","data":{"resolution":{"id":1098618,"path":"react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/globals>@jest/environment>@jest/fake-timers>jest-message-util>micromatch","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"4.0.5","paths":["@testing-library/jest-dom>@types/testing-library__jest-dom>@types/jest>expect>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>tailwindcss>fast-glob>micromatch","react-scripts>react-dev-utils>globby>fast-glob>micromatch","eslint-plugin-jest>@typescript-eslint/experimental-utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/parser>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest-resolve>jest-haste-map>micromatch","react-scripts>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>@jest/reporters>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>jest-config>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>jest-snapshot>@jest/transform>jest-haste-map>micromatch"]},{"version":"4.0.5","paths":["react-scripts>babel-jest>@jest/transform>micromatch","react-scripts>jest>@jest/core>@jest/transform>micromatch","react-scripts>jest>@jest/core>@jest/reporters>@jest/transform>micromatch","react-scripts>jest>@jest/core>jest-config>babel-jest>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>babel-jest>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>jest-snapshot>@jest/transform>micromatch"]},{"version":"4.0.5","paths":["react-scripts>eslint-webpack-plugin>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>jest-message-util>micromatch","react-scripts>jest>@jest/core>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/reporters>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/reporters>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/globals>@jest/environment>@jest/fake-timers>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>jest-config>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>micromatch","react-scripts>jest>jest-cli>@jest/core>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest-watch-typeahead>jest-watcher>@jest/test-result>@jest/console>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>tailwindcss>micromatch"]},{"version":"4.0.5","paths":["http-proxy-middleware>micromatch","react-scripts>webpack-dev-server>http-proxy-middleware>micromatch"]},{"version":"4.0.7","paths":["micromatch"]}],"metadata":null,"vulnerable_versions":"<4.0.8","module_name":"micromatch","severity":"moderate","github_advisory_id":"GHSA-952p-6rrq-rcjv","cves":["CVE-2024-4067"],"access":"public","patched_versions":">=4.0.8","cvss":{"score":0,"vectorString":null},"updated":"2024-08-23T17:27:31.000Z","recommendation":"Upgrade to version 4.0.8 or later","cwe":["CWE-1333"],"found_by":null,"deleted":null,"id":1098618,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2024-4067\n- https://github.com/micromatch/micromatch/issues/243\n- https://github.com/micromatch/micromatch/pull/247\n- https://devhub.checkmarx.com/cve-details/CVE-2024-4067\n- https://github.com/micromatch/micromatch/blob/2c56a8604b68c1099e7bc0f807ce0865a339747a/index.js#L448\n- https://github.com/micromatch/micromatch/commit/500d5d6f42f0e8dfa1cb5464c6cb420b1b6aaaa0\n- https://github.com/advisories/GHSA-952p-6rrq-rcjv","created":"2024-05-14T18:30:54.000Z","reported_by":null,"title":"Regular Expression Denial of Service (ReDoS) in micromatch","npm_advisory_id":null,"overview":"The NPM package `micromatch` is vulnerable to Regular Expression Denial of Service (ReDoS). The vulnerability occurs in `micromatch.braces()` in `index.js` because the pattern `.*` will greedily match anything. By passing a malicious payload, the pattern matching will keep backtracking to the input while it doesn't find the closing bracket. As the input size increases, the consumption time will also increase until it causes the application to hang or slow down. There was a merged fix but further testing shows the issue persists. This issue should be mitigated by using a safe pattern that won't start backtracking the regular expression due to greedy matching.\n","url":"https://github.com/advisories/GHSA-952p-6rrq-rcjv"}}} -{"type":"auditAdvisory","data":{"resolution":{"id":1098618,"path":"react-scripts>jest>@jest/core>jest-config>micromatch","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"4.0.5","paths":["@testing-library/jest-dom>@types/testing-library__jest-dom>@types/jest>expect>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>tailwindcss>fast-glob>micromatch","react-scripts>react-dev-utils>globby>fast-glob>micromatch","eslint-plugin-jest>@typescript-eslint/experimental-utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/parser>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest-resolve>jest-haste-map>micromatch","react-scripts>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>@jest/reporters>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>jest-config>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>jest-snapshot>@jest/transform>jest-haste-map>micromatch"]},{"version":"4.0.5","paths":["react-scripts>babel-jest>@jest/transform>micromatch","react-scripts>jest>@jest/core>@jest/transform>micromatch","react-scripts>jest>@jest/core>@jest/reporters>@jest/transform>micromatch","react-scripts>jest>@jest/core>jest-config>babel-jest>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>babel-jest>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>jest-snapshot>@jest/transform>micromatch"]},{"version":"4.0.5","paths":["react-scripts>eslint-webpack-plugin>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>jest-message-util>micromatch","react-scripts>jest>@jest/core>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/reporters>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/reporters>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/globals>@jest/environment>@jest/fake-timers>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>jest-config>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>micromatch","react-scripts>jest>jest-cli>@jest/core>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest-watch-typeahead>jest-watcher>@jest/test-result>@jest/console>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>tailwindcss>micromatch"]},{"version":"4.0.5","paths":["http-proxy-middleware>micromatch","react-scripts>webpack-dev-server>http-proxy-middleware>micromatch"]},{"version":"4.0.7","paths":["micromatch"]}],"metadata":null,"vulnerable_versions":"<4.0.8","module_name":"micromatch","severity":"moderate","github_advisory_id":"GHSA-952p-6rrq-rcjv","cves":["CVE-2024-4067"],"access":"public","patched_versions":">=4.0.8","cvss":{"score":0,"vectorString":null},"updated":"2024-08-23T17:27:31.000Z","recommendation":"Upgrade to version 4.0.8 or later","cwe":["CWE-1333"],"found_by":null,"deleted":null,"id":1098618,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2024-4067\n- https://github.com/micromatch/micromatch/issues/243\n- https://github.com/micromatch/micromatch/pull/247\n- https://devhub.checkmarx.com/cve-details/CVE-2024-4067\n- https://github.com/micromatch/micromatch/blob/2c56a8604b68c1099e7bc0f807ce0865a339747a/index.js#L448\n- https://github.com/micromatch/micromatch/commit/500d5d6f42f0e8dfa1cb5464c6cb420b1b6aaaa0\n- https://github.com/advisories/GHSA-952p-6rrq-rcjv","created":"2024-05-14T18:30:54.000Z","reported_by":null,"title":"Regular Expression Denial of Service (ReDoS) in micromatch","npm_advisory_id":null,"overview":"The NPM package `micromatch` is vulnerable to Regular Expression Denial of Service (ReDoS). The vulnerability occurs in `micromatch.braces()` in `index.js` because the pattern `.*` will greedily match anything. By passing a malicious payload, the pattern matching will keep backtracking to the input while it doesn't find the closing bracket. As the input size increases, the consumption time will also increase until it causes the application to hang or slow down. There was a merged fix but further testing shows the issue persists. This issue should be mitigated by using a safe pattern that won't start backtracking the regular expression due to greedy matching.\n","url":"https://github.com/advisories/GHSA-952p-6rrq-rcjv"}}} -{"type":"auditAdvisory","data":{"resolution":{"id":1098618,"path":"react-scripts>jest>jest-cli>@jest/core>jest-config>micromatch","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"4.0.5","paths":["@testing-library/jest-dom>@types/testing-library__jest-dom>@types/jest>expect>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>tailwindcss>fast-glob>micromatch","react-scripts>react-dev-utils>globby>fast-glob>micromatch","eslint-plugin-jest>@typescript-eslint/experimental-utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/parser>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest-resolve>jest-haste-map>micromatch","react-scripts>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>@jest/reporters>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>jest-config>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>jest-snapshot>@jest/transform>jest-haste-map>micromatch"]},{"version":"4.0.5","paths":["react-scripts>babel-jest>@jest/transform>micromatch","react-scripts>jest>@jest/core>@jest/transform>micromatch","react-scripts>jest>@jest/core>@jest/reporters>@jest/transform>micromatch","react-scripts>jest>@jest/core>jest-config>babel-jest>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>babel-jest>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>jest-snapshot>@jest/transform>micromatch"]},{"version":"4.0.5","paths":["react-scripts>eslint-webpack-plugin>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>jest-message-util>micromatch","react-scripts>jest>@jest/core>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/reporters>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/reporters>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/globals>@jest/environment>@jest/fake-timers>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>jest-config>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>micromatch","react-scripts>jest>jest-cli>@jest/core>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest-watch-typeahead>jest-watcher>@jest/test-result>@jest/console>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>tailwindcss>micromatch"]},{"version":"4.0.5","paths":["http-proxy-middleware>micromatch","react-scripts>webpack-dev-server>http-proxy-middleware>micromatch"]},{"version":"4.0.7","paths":["micromatch"]}],"metadata":null,"vulnerable_versions":"<4.0.8","module_name":"micromatch","severity":"moderate","github_advisory_id":"GHSA-952p-6rrq-rcjv","cves":["CVE-2024-4067"],"access":"public","patched_versions":">=4.0.8","cvss":{"score":0,"vectorString":null},"updated":"2024-08-23T17:27:31.000Z","recommendation":"Upgrade to version 4.0.8 or later","cwe":["CWE-1333"],"found_by":null,"deleted":null,"id":1098618,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2024-4067\n- https://github.com/micromatch/micromatch/issues/243\n- https://github.com/micromatch/micromatch/pull/247\n- https://devhub.checkmarx.com/cve-details/CVE-2024-4067\n- https://github.com/micromatch/micromatch/blob/2c56a8604b68c1099e7bc0f807ce0865a339747a/index.js#L448\n- https://github.com/micromatch/micromatch/commit/500d5d6f42f0e8dfa1cb5464c6cb420b1b6aaaa0\n- https://github.com/advisories/GHSA-952p-6rrq-rcjv","created":"2024-05-14T18:30:54.000Z","reported_by":null,"title":"Regular Expression Denial of Service (ReDoS) in micromatch","npm_advisory_id":null,"overview":"The NPM package `micromatch` is vulnerable to Regular Expression Denial of Service (ReDoS). The vulnerability occurs in `micromatch.braces()` in `index.js` because the pattern `.*` will greedily match anything. By passing a malicious payload, the pattern matching will keep backtracking to the input while it doesn't find the closing bracket. As the input size increases, the consumption time will also increase until it causes the application to hang or slow down. There was a merged fix but further testing shows the issue persists. This issue should be mitigated by using a safe pattern that won't start backtracking the regular expression due to greedy matching.\n","url":"https://github.com/advisories/GHSA-952p-6rrq-rcjv"}}} -{"type":"auditAdvisory","data":{"resolution":{"id":1098618,"path":"react-scripts>jest>@jest/core>micromatch","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"4.0.5","paths":["@testing-library/jest-dom>@types/testing-library__jest-dom>@types/jest>expect>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>tailwindcss>fast-glob>micromatch","react-scripts>react-dev-utils>globby>fast-glob>micromatch","eslint-plugin-jest>@typescript-eslint/experimental-utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/parser>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest-resolve>jest-haste-map>micromatch","react-scripts>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>@jest/reporters>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>jest-config>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>jest-snapshot>@jest/transform>jest-haste-map>micromatch"]},{"version":"4.0.5","paths":["react-scripts>babel-jest>@jest/transform>micromatch","react-scripts>jest>@jest/core>@jest/transform>micromatch","react-scripts>jest>@jest/core>@jest/reporters>@jest/transform>micromatch","react-scripts>jest>@jest/core>jest-config>babel-jest>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>babel-jest>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>jest-snapshot>@jest/transform>micromatch"]},{"version":"4.0.5","paths":["react-scripts>eslint-webpack-plugin>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>jest-message-util>micromatch","react-scripts>jest>@jest/core>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/reporters>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/reporters>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/globals>@jest/environment>@jest/fake-timers>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>jest-config>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>micromatch","react-scripts>jest>jest-cli>@jest/core>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest-watch-typeahead>jest-watcher>@jest/test-result>@jest/console>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>tailwindcss>micromatch"]},{"version":"4.0.5","paths":["http-proxy-middleware>micromatch","react-scripts>webpack-dev-server>http-proxy-middleware>micromatch"]},{"version":"4.0.7","paths":["micromatch"]}],"metadata":null,"vulnerable_versions":"<4.0.8","module_name":"micromatch","severity":"moderate","github_advisory_id":"GHSA-952p-6rrq-rcjv","cves":["CVE-2024-4067"],"access":"public","patched_versions":">=4.0.8","cvss":{"score":0,"vectorString":null},"updated":"2024-08-23T17:27:31.000Z","recommendation":"Upgrade to version 4.0.8 or later","cwe":["CWE-1333"],"found_by":null,"deleted":null,"id":1098618,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2024-4067\n- https://github.com/micromatch/micromatch/issues/243\n- https://github.com/micromatch/micromatch/pull/247\n- https://devhub.checkmarx.com/cve-details/CVE-2024-4067\n- https://github.com/micromatch/micromatch/blob/2c56a8604b68c1099e7bc0f807ce0865a339747a/index.js#L448\n- https://github.com/micromatch/micromatch/commit/500d5d6f42f0e8dfa1cb5464c6cb420b1b6aaaa0\n- https://github.com/advisories/GHSA-952p-6rrq-rcjv","created":"2024-05-14T18:30:54.000Z","reported_by":null,"title":"Regular Expression Denial of Service (ReDoS) in micromatch","npm_advisory_id":null,"overview":"The NPM package `micromatch` is vulnerable to Regular Expression Denial of Service (ReDoS). The vulnerability occurs in `micromatch.braces()` in `index.js` because the pattern `.*` will greedily match anything. By passing a malicious payload, the pattern matching will keep backtracking to the input while it doesn't find the closing bracket. As the input size increases, the consumption time will also increase until it causes the application to hang or slow down. There was a merged fix but further testing shows the issue persists. This issue should be mitigated by using a safe pattern that won't start backtracking the regular expression due to greedy matching.\n","url":"https://github.com/advisories/GHSA-952p-6rrq-rcjv"}}} -{"type":"auditAdvisory","data":{"resolution":{"id":1098618,"path":"react-scripts>jest>jest-cli>@jest/core>micromatch","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"4.0.5","paths":["@testing-library/jest-dom>@types/testing-library__jest-dom>@types/jest>expect>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>tailwindcss>fast-glob>micromatch","react-scripts>react-dev-utils>globby>fast-glob>micromatch","eslint-plugin-jest>@typescript-eslint/experimental-utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/parser>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest-resolve>jest-haste-map>micromatch","react-scripts>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>@jest/reporters>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>jest-config>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>jest-snapshot>@jest/transform>jest-haste-map>micromatch"]},{"version":"4.0.5","paths":["react-scripts>babel-jest>@jest/transform>micromatch","react-scripts>jest>@jest/core>@jest/transform>micromatch","react-scripts>jest>@jest/core>@jest/reporters>@jest/transform>micromatch","react-scripts>jest>@jest/core>jest-config>babel-jest>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>babel-jest>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>jest-snapshot>@jest/transform>micromatch"]},{"version":"4.0.5","paths":["react-scripts>eslint-webpack-plugin>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>jest-message-util>micromatch","react-scripts>jest>@jest/core>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/reporters>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/reporters>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/globals>@jest/environment>@jest/fake-timers>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>jest-config>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>micromatch","react-scripts>jest>jest-cli>@jest/core>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest-watch-typeahead>jest-watcher>@jest/test-result>@jest/console>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>tailwindcss>micromatch"]},{"version":"4.0.5","paths":["http-proxy-middleware>micromatch","react-scripts>webpack-dev-server>http-proxy-middleware>micromatch"]},{"version":"4.0.7","paths":["micromatch"]}],"metadata":null,"vulnerable_versions":"<4.0.8","module_name":"micromatch","severity":"moderate","github_advisory_id":"GHSA-952p-6rrq-rcjv","cves":["CVE-2024-4067"],"access":"public","patched_versions":">=4.0.8","cvss":{"score":0,"vectorString":null},"updated":"2024-08-23T17:27:31.000Z","recommendation":"Upgrade to version 4.0.8 or later","cwe":["CWE-1333"],"found_by":null,"deleted":null,"id":1098618,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2024-4067\n- https://github.com/micromatch/micromatch/issues/243\n- https://github.com/micromatch/micromatch/pull/247\n- https://devhub.checkmarx.com/cve-details/CVE-2024-4067\n- https://github.com/micromatch/micromatch/blob/2c56a8604b68c1099e7bc0f807ce0865a339747a/index.js#L448\n- https://github.com/micromatch/micromatch/commit/500d5d6f42f0e8dfa1cb5464c6cb420b1b6aaaa0\n- https://github.com/advisories/GHSA-952p-6rrq-rcjv","created":"2024-05-14T18:30:54.000Z","reported_by":null,"title":"Regular Expression Denial of Service (ReDoS) in micromatch","npm_advisory_id":null,"overview":"The NPM package `micromatch` is vulnerable to Regular Expression Denial of Service (ReDoS). The vulnerability occurs in `micromatch.braces()` in `index.js` because the pattern `.*` will greedily match anything. By passing a malicious payload, the pattern matching will keep backtracking to the input while it doesn't find the closing bracket. As the input size increases, the consumption time will also increase until it causes the application to hang or slow down. There was a merged fix but further testing shows the issue persists. This issue should be mitigated by using a safe pattern that won't start backtracking the regular expression due to greedy matching.\n","url":"https://github.com/advisories/GHSA-952p-6rrq-rcjv"}}} -{"type":"auditAdvisory","data":{"resolution":{"id":1098618,"path":"react-scripts>jest-watch-typeahead>jest-watcher>@jest/test-result>@jest/console>jest-message-util>micromatch","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"4.0.5","paths":["@testing-library/jest-dom>@types/testing-library__jest-dom>@types/jest>expect>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>tailwindcss>fast-glob>micromatch","react-scripts>react-dev-utils>globby>fast-glob>micromatch","eslint-plugin-jest>@typescript-eslint/experimental-utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/parser>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest-resolve>jest-haste-map>micromatch","react-scripts>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>@jest/reporters>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>jest-config>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>jest-snapshot>@jest/transform>jest-haste-map>micromatch"]},{"version":"4.0.5","paths":["react-scripts>babel-jest>@jest/transform>micromatch","react-scripts>jest>@jest/core>@jest/transform>micromatch","react-scripts>jest>@jest/core>@jest/reporters>@jest/transform>micromatch","react-scripts>jest>@jest/core>jest-config>babel-jest>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>babel-jest>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>jest-snapshot>@jest/transform>micromatch"]},{"version":"4.0.5","paths":["react-scripts>eslint-webpack-plugin>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>jest-message-util>micromatch","react-scripts>jest>@jest/core>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/reporters>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/reporters>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/globals>@jest/environment>@jest/fake-timers>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>jest-config>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>micromatch","react-scripts>jest>jest-cli>@jest/core>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest-watch-typeahead>jest-watcher>@jest/test-result>@jest/console>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>tailwindcss>micromatch"]},{"version":"4.0.5","paths":["http-proxy-middleware>micromatch","react-scripts>webpack-dev-server>http-proxy-middleware>micromatch"]},{"version":"4.0.7","paths":["micromatch"]}],"metadata":null,"vulnerable_versions":"<4.0.8","module_name":"micromatch","severity":"moderate","github_advisory_id":"GHSA-952p-6rrq-rcjv","cves":["CVE-2024-4067"],"access":"public","patched_versions":">=4.0.8","cvss":{"score":0,"vectorString":null},"updated":"2024-08-23T17:27:31.000Z","recommendation":"Upgrade to version 4.0.8 or later","cwe":["CWE-1333"],"found_by":null,"deleted":null,"id":1098618,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2024-4067\n- https://github.com/micromatch/micromatch/issues/243\n- https://github.com/micromatch/micromatch/pull/247\n- https://devhub.checkmarx.com/cve-details/CVE-2024-4067\n- https://github.com/micromatch/micromatch/blob/2c56a8604b68c1099e7bc0f807ce0865a339747a/index.js#L448\n- https://github.com/micromatch/micromatch/commit/500d5d6f42f0e8dfa1cb5464c6cb420b1b6aaaa0\n- https://github.com/advisories/GHSA-952p-6rrq-rcjv","created":"2024-05-14T18:30:54.000Z","reported_by":null,"title":"Regular Expression Denial of Service (ReDoS) in micromatch","npm_advisory_id":null,"overview":"The NPM package `micromatch` is vulnerable to Regular Expression Denial of Service (ReDoS). The vulnerability occurs in `micromatch.braces()` in `index.js` because the pattern `.*` will greedily match anything. By passing a malicious payload, the pattern matching will keep backtracking to the input while it doesn't find the closing bracket. As the input size increases, the consumption time will also increase until it causes the application to hang or slow down. There was a merged fix but further testing shows the issue persists. This issue should be mitigated by using a safe pattern that won't start backtracking the regular expression due to greedy matching.\n","url":"https://github.com/advisories/GHSA-952p-6rrq-rcjv"}}} -{"type":"auditAdvisory","data":{"resolution":{"id":1098618,"path":"react-scripts>tailwindcss>micromatch","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"4.0.5","paths":["@testing-library/jest-dom>@types/testing-library__jest-dom>@types/jest>expect>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>tailwindcss>fast-glob>micromatch","react-scripts>react-dev-utils>globby>fast-glob>micromatch","eslint-plugin-jest>@typescript-eslint/experimental-utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/parser>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest-resolve>jest-haste-map>micromatch","react-scripts>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>@jest/reporters>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>jest-config>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>jest-snapshot>@jest/transform>jest-haste-map>micromatch"]},{"version":"4.0.5","paths":["react-scripts>babel-jest>@jest/transform>micromatch","react-scripts>jest>@jest/core>@jest/transform>micromatch","react-scripts>jest>@jest/core>@jest/reporters>@jest/transform>micromatch","react-scripts>jest>@jest/core>jest-config>babel-jest>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>babel-jest>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>jest-snapshot>@jest/transform>micromatch"]},{"version":"4.0.5","paths":["react-scripts>eslint-webpack-plugin>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>jest-message-util>micromatch","react-scripts>jest>@jest/core>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/reporters>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/reporters>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/globals>@jest/environment>@jest/fake-timers>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>jest-config>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>micromatch","react-scripts>jest>jest-cli>@jest/core>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest-watch-typeahead>jest-watcher>@jest/test-result>@jest/console>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>tailwindcss>micromatch"]},{"version":"4.0.5","paths":["http-proxy-middleware>micromatch","react-scripts>webpack-dev-server>http-proxy-middleware>micromatch"]},{"version":"4.0.7","paths":["micromatch"]}],"metadata":null,"vulnerable_versions":"<4.0.8","module_name":"micromatch","severity":"moderate","github_advisory_id":"GHSA-952p-6rrq-rcjv","cves":["CVE-2024-4067"],"access":"public","patched_versions":">=4.0.8","cvss":{"score":0,"vectorString":null},"updated":"2024-08-23T17:27:31.000Z","recommendation":"Upgrade to version 4.0.8 or later","cwe":["CWE-1333"],"found_by":null,"deleted":null,"id":1098618,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2024-4067\n- https://github.com/micromatch/micromatch/issues/243\n- https://github.com/micromatch/micromatch/pull/247\n- https://devhub.checkmarx.com/cve-details/CVE-2024-4067\n- https://github.com/micromatch/micromatch/blob/2c56a8604b68c1099e7bc0f807ce0865a339747a/index.js#L448\n- https://github.com/micromatch/micromatch/commit/500d5d6f42f0e8dfa1cb5464c6cb420b1b6aaaa0\n- https://github.com/advisories/GHSA-952p-6rrq-rcjv","created":"2024-05-14T18:30:54.000Z","reported_by":null,"title":"Regular Expression Denial of Service (ReDoS) in micromatch","npm_advisory_id":null,"overview":"The NPM package `micromatch` is vulnerable to Regular Expression Denial of Service (ReDoS). The vulnerability occurs in `micromatch.braces()` in `index.js` because the pattern `.*` will greedily match anything. By passing a malicious payload, the pattern matching will keep backtracking to the input while it doesn't find the closing bracket. As the input size increases, the consumption time will also increase until it causes the application to hang or slow down. There was a merged fix but further testing shows the issue persists. This issue should be mitigated by using a safe pattern that won't start backtracking the regular expression due to greedy matching.\n","url":"https://github.com/advisories/GHSA-952p-6rrq-rcjv"}}} -{"type":"auditAdvisory","data":{"resolution":{"id":1098618,"path":"http-proxy-middleware>micromatch","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"4.0.5","paths":["@testing-library/jest-dom>@types/testing-library__jest-dom>@types/jest>expect>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>tailwindcss>fast-glob>micromatch","react-scripts>react-dev-utils>globby>fast-glob>micromatch","eslint-plugin-jest>@typescript-eslint/experimental-utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/parser>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest-resolve>jest-haste-map>micromatch","react-scripts>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>@jest/reporters>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>jest-config>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>jest-snapshot>@jest/transform>jest-haste-map>micromatch"]},{"version":"4.0.5","paths":["react-scripts>babel-jest>@jest/transform>micromatch","react-scripts>jest>@jest/core>@jest/transform>micromatch","react-scripts>jest>@jest/core>@jest/reporters>@jest/transform>micromatch","react-scripts>jest>@jest/core>jest-config>babel-jest>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>babel-jest>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>jest-snapshot>@jest/transform>micromatch"]},{"version":"4.0.5","paths":["react-scripts>eslint-webpack-plugin>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>jest-message-util>micromatch","react-scripts>jest>@jest/core>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/reporters>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/reporters>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/globals>@jest/environment>@jest/fake-timers>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>jest-config>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>micromatch","react-scripts>jest>jest-cli>@jest/core>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest-watch-typeahead>jest-watcher>@jest/test-result>@jest/console>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>tailwindcss>micromatch"]},{"version":"4.0.5","paths":["http-proxy-middleware>micromatch","react-scripts>webpack-dev-server>http-proxy-middleware>micromatch"]},{"version":"4.0.7","paths":["micromatch"]}],"metadata":null,"vulnerable_versions":"<4.0.8","module_name":"micromatch","severity":"moderate","github_advisory_id":"GHSA-952p-6rrq-rcjv","cves":["CVE-2024-4067"],"access":"public","patched_versions":">=4.0.8","cvss":{"score":0,"vectorString":null},"updated":"2024-08-23T17:27:31.000Z","recommendation":"Upgrade to version 4.0.8 or later","cwe":["CWE-1333"],"found_by":null,"deleted":null,"id":1098618,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2024-4067\n- https://github.com/micromatch/micromatch/issues/243\n- https://github.com/micromatch/micromatch/pull/247\n- https://devhub.checkmarx.com/cve-details/CVE-2024-4067\n- https://github.com/micromatch/micromatch/blob/2c56a8604b68c1099e7bc0f807ce0865a339747a/index.js#L448\n- https://github.com/micromatch/micromatch/commit/500d5d6f42f0e8dfa1cb5464c6cb420b1b6aaaa0\n- https://github.com/advisories/GHSA-952p-6rrq-rcjv","created":"2024-05-14T18:30:54.000Z","reported_by":null,"title":"Regular Expression Denial of Service (ReDoS) in micromatch","npm_advisory_id":null,"overview":"The NPM package `micromatch` is vulnerable to Regular Expression Denial of Service (ReDoS). The vulnerability occurs in `micromatch.braces()` in `index.js` because the pattern `.*` will greedily match anything. By passing a malicious payload, the pattern matching will keep backtracking to the input while it doesn't find the closing bracket. As the input size increases, the consumption time will also increase until it causes the application to hang or slow down. There was a merged fix but further testing shows the issue persists. This issue should be mitigated by using a safe pattern that won't start backtracking the regular expression due to greedy matching.\n","url":"https://github.com/advisories/GHSA-952p-6rrq-rcjv"}}} -{"type":"auditAdvisory","data":{"resolution":{"id":1098618,"path":"react-scripts>webpack-dev-server>http-proxy-middleware>micromatch","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"4.0.5","paths":["@testing-library/jest-dom>@types/testing-library__jest-dom>@types/jest>expect>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>tailwindcss>fast-glob>micromatch","react-scripts>react-dev-utils>globby>fast-glob>micromatch","eslint-plugin-jest>@typescript-eslint/experimental-utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/parser>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest-resolve>jest-haste-map>micromatch","react-scripts>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>@jest/reporters>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>jest-config>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>jest-snapshot>@jest/transform>jest-haste-map>micromatch"]},{"version":"4.0.5","paths":["react-scripts>babel-jest>@jest/transform>micromatch","react-scripts>jest>@jest/core>@jest/transform>micromatch","react-scripts>jest>@jest/core>@jest/reporters>@jest/transform>micromatch","react-scripts>jest>@jest/core>jest-config>babel-jest>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>babel-jest>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>jest-snapshot>@jest/transform>micromatch"]},{"version":"4.0.5","paths":["react-scripts>eslint-webpack-plugin>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>jest-message-util>micromatch","react-scripts>jest>@jest/core>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/reporters>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/reporters>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/globals>@jest/environment>@jest/fake-timers>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>jest-config>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>micromatch","react-scripts>jest>jest-cli>@jest/core>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest-watch-typeahead>jest-watcher>@jest/test-result>@jest/console>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>tailwindcss>micromatch"]},{"version":"4.0.5","paths":["http-proxy-middleware>micromatch","react-scripts>webpack-dev-server>http-proxy-middleware>micromatch"]},{"version":"4.0.7","paths":["micromatch"]}],"metadata":null,"vulnerable_versions":"<4.0.8","module_name":"micromatch","severity":"moderate","github_advisory_id":"GHSA-952p-6rrq-rcjv","cves":["CVE-2024-4067"],"access":"public","patched_versions":">=4.0.8","cvss":{"score":0,"vectorString":null},"updated":"2024-08-23T17:27:31.000Z","recommendation":"Upgrade to version 4.0.8 or later","cwe":["CWE-1333"],"found_by":null,"deleted":null,"id":1098618,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2024-4067\n- https://github.com/micromatch/micromatch/issues/243\n- https://github.com/micromatch/micromatch/pull/247\n- https://devhub.checkmarx.com/cve-details/CVE-2024-4067\n- https://github.com/micromatch/micromatch/blob/2c56a8604b68c1099e7bc0f807ce0865a339747a/index.js#L448\n- https://github.com/micromatch/micromatch/commit/500d5d6f42f0e8dfa1cb5464c6cb420b1b6aaaa0\n- https://github.com/advisories/GHSA-952p-6rrq-rcjv","created":"2024-05-14T18:30:54.000Z","reported_by":null,"title":"Regular Expression Denial of Service (ReDoS) in micromatch","npm_advisory_id":null,"overview":"The NPM package `micromatch` is vulnerable to Regular Expression Denial of Service (ReDoS). The vulnerability occurs in `micromatch.braces()` in `index.js` because the pattern `.*` will greedily match anything. By passing a malicious payload, the pattern matching will keep backtracking to the input while it doesn't find the closing bracket. As the input size increases, the consumption time will also increase until it causes the application to hang or slow down. There was a merged fix but further testing shows the issue persists. This issue should be mitigated by using a safe pattern that won't start backtracking the regular expression due to greedy matching.\n","url":"https://github.com/advisories/GHSA-952p-6rrq-rcjv"}}} -{"type":"auditAdvisory","data":{"resolution":{"id":1098618,"path":"micromatch","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"4.0.5","paths":["@testing-library/jest-dom>@types/testing-library__jest-dom>@types/jest>expect>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>tailwindcss>fast-glob>micromatch","react-scripts>react-dev-utils>globby>fast-glob>micromatch","eslint-plugin-jest>@typescript-eslint/experimental-utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/parser>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest-resolve>jest-haste-map>micromatch","react-scripts>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>@jest/reporters>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>jest-config>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>jest-snapshot>@jest/transform>jest-haste-map>micromatch"]},{"version":"4.0.5","paths":["react-scripts>babel-jest>@jest/transform>micromatch","react-scripts>jest>@jest/core>@jest/transform>micromatch","react-scripts>jest>@jest/core>@jest/reporters>@jest/transform>micromatch","react-scripts>jest>@jest/core>jest-config>babel-jest>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>babel-jest>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>jest-snapshot>@jest/transform>micromatch"]},{"version":"4.0.5","paths":["react-scripts>eslint-webpack-plugin>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>jest-message-util>micromatch","react-scripts>jest>@jest/core>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/reporters>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/reporters>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/globals>@jest/environment>@jest/fake-timers>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>jest-config>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>micromatch","react-scripts>jest>jest-cli>@jest/core>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest-watch-typeahead>jest-watcher>@jest/test-result>@jest/console>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>tailwindcss>micromatch"]},{"version":"4.0.5","paths":["http-proxy-middleware>micromatch","react-scripts>webpack-dev-server>http-proxy-middleware>micromatch"]},{"version":"4.0.7","paths":["micromatch"]}],"metadata":null,"vulnerable_versions":"<4.0.8","module_name":"micromatch","severity":"moderate","github_advisory_id":"GHSA-952p-6rrq-rcjv","cves":["CVE-2024-4067"],"access":"public","patched_versions":">=4.0.8","cvss":{"score":0,"vectorString":null},"updated":"2024-08-23T17:27:31.000Z","recommendation":"Upgrade to version 4.0.8 or later","cwe":["CWE-1333"],"found_by":null,"deleted":null,"id":1098618,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2024-4067\n- https://github.com/micromatch/micromatch/issues/243\n- https://github.com/micromatch/micromatch/pull/247\n- https://devhub.checkmarx.com/cve-details/CVE-2024-4067\n- https://github.com/micromatch/micromatch/blob/2c56a8604b68c1099e7bc0f807ce0865a339747a/index.js#L448\n- https://github.com/micromatch/micromatch/commit/500d5d6f42f0e8dfa1cb5464c6cb420b1b6aaaa0\n- https://github.com/advisories/GHSA-952p-6rrq-rcjv","created":"2024-05-14T18:30:54.000Z","reported_by":null,"title":"Regular Expression Denial of Service (ReDoS) in micromatch","npm_advisory_id":null,"overview":"The NPM package `micromatch` is vulnerable to Regular Expression Denial of Service (ReDoS). The vulnerability occurs in `micromatch.braces()` in `index.js` because the pattern `.*` will greedily match anything. By passing a malicious payload, the pattern matching will keep backtracking to the input while it doesn't find the closing bracket. As the input size increases, the consumption time will also increase until it causes the application to hang or slow down. There was a merged fix but further testing shows the issue persists. This issue should be mitigated by using a safe pattern that won't start backtracking the regular expression due to greedy matching.\n","url":"https://github.com/advisories/GHSA-952p-6rrq-rcjv"}}} +{"type":"auditAdvisory","data":{"resolution":{"id":1098664,"path":"react-scripts>webpack","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"5.78.0","paths":["react-scripts>webpack"]}],"metadata":null,"vulnerable_versions":"<5.94.0","module_name":"webpack","severity":"moderate","github_advisory_id":"GHSA-4vvj-4cpr-p986","cves":["CVE-2024-43788"],"access":"public","patched_versions":">=5.94.0","cvss":{"score":6.4,"vectorString":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:H"},"updated":"2024-08-27T19:50:41.000Z","recommendation":"Upgrade to version 5.94.0 or later","cwe":["CWE-79"],"found_by":null,"deleted":null,"id":1098664,"references":"- https://github.com/webpack/webpack/security/advisories/GHSA-4vvj-4cpr-p986\n- https://nvd.nist.gov/vuln/detail/CVE-2024-43788\n- https://github.com/webpack/webpack/commit/955e057abc6cc83cbc3fa1e1ef67a49758bf5a61\n- https://research.securitum.com/xss-in-amp4email-dom-clobbering\n- https://scnps.co/papers/sp23_domclob.pdf\n- https://github.com/advisories/GHSA-4vvj-4cpr-p986","created":"2024-08-27T19:50:40.000Z","reported_by":null,"title":"Webpack's AutoPublicPathRuntimeModule has a DOM Clobbering Gadget that leads to XSS","npm_advisory_id":null,"overview":"Hi, Webpack developer team!\n\n### Summary\n\nWe discovered a DOM Clobbering vulnerability in Webpack’s `AutoPublicPathRuntimeModule`. The DOM Clobbering gadget in the module can lead to cross-site scripting (XSS) in web pages where scriptless attacker-controlled HTML elements (e.g., an `img` tag with an unsanitized `name` attribute) are present.\n\nWe found the real-world exploitation of this gadget in the Canvas LMS which allows XSS attack happens through an javascript code compiled by Webpack (the vulnerable part is from Webpack). We believe this is a severe issue. If Webpack’s code is not resilient to DOM Clobbering attacks, it could lead to significant security vulnerabilities in any web application using Webpack-compiled code.\n\n\n### Details\n\n#### Backgrounds\n\nDOM Clobbering is a type of code-reuse attack where the attacker first embeds a piece of non-script, seemingly benign HTML markups in the webpage (e.g. through a post or comment) and leverages the gadgets (pieces of js code) living in the existing javascript code to transform it into executable code. More for information about DOM Clobbering, here are some references:\n\n[1] https://scnps.co/papers/sp23_domclob.pdf\n[2] https://research.securitum.com/xss-in-amp4email-dom-clobbering/\n\n\n#### Gadgets found in Webpack\n\nWe identified a DOM Clobbering vulnerability in Webpack’s `AutoPublicPathRuntimeModule`. When the `output.publicPath` field in the configuration is not set or is set to `auto`, the following code is generated in the bundle to dynamically resolve and load additional JavaScript files:\n\n```\n/******/ \t/* webpack/runtime/publicPath */\n/******/ \t(() => {\n/******/ \t\tvar scriptUrl;\n/******/ \t\tif (__webpack_require__.g.importScripts) scriptUrl = __webpack_require__.g.location + \"\";\n/******/ \t\tvar document = __webpack_require__.g.document;\n/******/ \t\tif (!scriptUrl && document) {\n/******/ \t\t\tif (document.currentScript)\n/******/ \t\t\t\tscriptUrl = document.currentScript.src;\n/******/ \t\t\tif (!scriptUrl) {\n/******/ \t\t\t\tvar scripts = document.getElementsByTagName(\"script\");\n/******/ \t\t\t\tif(scripts.length) {\n/******/ \t\t\t\t\tvar i = scripts.length - 1;\n/******/ \t\t\t\t\twhile (i > -1 && (!scriptUrl || !/^http(s?):/.test(scriptUrl))) scriptUrl = scripts[i--].src;\n/******/ \t\t\t\t}\n/******/ \t\t\t}\n/******/ \t\t}\n/******/ \t\t// When supporting browsers where an automatic publicPath is not supported you must specify an output.publicPath manually via configuration\n/******/ \t\t// or pass an empty string (\"\") and set the __webpack_public_path__ variable from your code to use your own logic.\n/******/ \t\tif (!scriptUrl) throw new Error(\"Automatic publicPath is not supported in this browser\");\n/******/ \t\tscriptUrl = scriptUrl.replace(/#.*$/, \"\").replace(/\\?.*$/, \"\").replace(/\\/[^\\/]+$/, \"/\");\n/******/ \t\t__webpack_require__.p = scriptUrl;\n/******/ \t})();\n```\n\nHowever, this code is vulnerable to a DOM Clobbering attack. The lookup on the line with `document.currentScript` can be shadowed by an attacker, causing it to return an attacker-controlled HTML element instead of the current script element as intended. In such a scenario, the `src` attribute of the attacker-controlled element will be used as the `scriptUrl` and assigned to `__webpack_require__.p`. If additional scripts are loaded from the server, `__webpack_require__.p` will be used as the base URL, pointing to the attacker's domain. This could lead to arbitrary script loading from the attacker's server, resulting in severe security risks.\n\n### PoC\n\nPlease note that we have identified a real-world exploitation of this vulnerability in the Canvas LMS. Once the issue has been patched, I am willing to share more details on the exploitation. For now, I’m providing a demo to illustrate the concept.\n\nConsider a website developer with the following two scripts, `entry.js` and `import1.js`, that are compiled using Webpack:\n\n```\n// entry.js\nimport('./import1.js')\n .then(module => {\n module.hello();\n })\n .catch(err => {\n console.error('Failed to load module', err);\n });\n```\n\n```\n// import1.js\nexport function hello () {\n console.log('Hello');\n}\n```\n\nThe webpack.config.js is set up as follows:\n```\nconst path = require('path');\n\nmodule.exports = {\n entry: './entry.js', // Ensure the correct path to your entry file\n output: {\n filename: 'webpack-gadgets.bundle.js', // Output bundle file\n path: path.resolve(__dirname, 'dist'), // Output directory\n publicPath: \"auto\", // Or leave this field not set\n },\n target: 'web',\n mode: 'development',\n};\n```\n\nWhen the developer builds these scripts into a bundle and adds it to a webpage, the page could load the `import1.js` file from the attacker's domain, `attacker.controlled.server`. The attacker only needs to insert an `img` tag with the `name` attribute set to `currentScript`. This can be done through a website's feature that allows users to embed certain script-less HTML (e.g., markdown renderers, web email clients, forums) or via an HTML injection vulnerability in third-party JavaScript loaded on the page.\n\n```\n\n\n\n Webpack Example\n \n \n \n\n\n\n\n\n```\n\n### Impact\n\nThis vulnerability can lead to cross-site scripting (XSS) on websites that include Webpack-generated files and allow users to inject certain scriptless HTML tags with improperly sanitized name or id attributes.\n\n### Patch\n\nA possible patch to this vulnerability could refer to the Google Closure project which makes itself resistant to DOM Clobbering attack: https://github.com/google/closure-library/blob/b312823ec5f84239ff1db7526f4a75cba0420a33/closure/goog/base.js#L174\n\n```\n/******/ \t/* webpack/runtime/publicPath */\n/******/ \t(() => {\n/******/ \t\tvar scriptUrl;\n/******/ \t\tif (__webpack_require__.g.importScripts) scriptUrl = __webpack_require__.g.location + \"\";\n/******/ \t\tvar document = __webpack_require__.g.document;\n/******/ \t\tif (!scriptUrl && document) {\n/******/ \t\t\tif (document.currentScript && document.currentScript.tagName.toUpperCase() === 'SCRIPT') // Assume attacker cannot control script tag, otherwise it is XSS already :>\n/******/ \t\t\t\tscriptUrl = document.currentScript.src;\n/******/ \t\t\tif (!scriptUrl) {\n/******/ \t\t\t\tvar scripts = document.getElementsByTagName(\"script\");\n/******/ \t\t\t\tif(scripts.length) {\n/******/ \t\t\t\t\tvar i = scripts.length - 1;\n/******/ \t\t\t\t\twhile (i > -1 && (!scriptUrl || !/^http(s?):/.test(scriptUrl))) scriptUrl = scripts[i--].src;\n/******/ \t\t\t\t}\n/******/ \t\t\t}\n/******/ \t\t}\n/******/ \t\t// When supporting browsers where an automatic publicPath is not supported you must specify an output.publicPath manually via configuration\n/******/ \t\t// or pass an empty string (\"\") and set the __webpack_public_path__ variable from your code to use your own logic.\n/******/ \t\tif (!scriptUrl) throw new Error(\"Automatic publicPath is not supported in this browser\");\n/******/ \t\tscriptUrl = scriptUrl.replace(/#.*$/, \"\").replace(/\\?.*$/, \"\").replace(/\\/[^\\/]+$/, \"/\");\n/******/ \t\t__webpack_require__.p = scriptUrl;\n/******/ \t})();\n```\n\nPlease note that if we do not receive a response from the development team within three months, we will disclose this vulnerability to the CVE agent.","url":"https://github.com/advisories/GHSA-4vvj-4cpr-p986"}}} +{"type":"auditAdvisory","data":{"resolution":{"id":1098681,"path":"@testing-library/jest-dom>@types/testing-library__jest-dom>@types/jest>expect>jest-message-util>micromatch","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"4.0.5","paths":["@testing-library/jest-dom>@types/testing-library__jest-dom>@types/jest>expect>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>tailwindcss>fast-glob>micromatch","react-scripts>react-dev-utils>globby>fast-glob>micromatch","eslint-plugin-jest>@typescript-eslint/experimental-utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/parser>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest-resolve>jest-haste-map>micromatch","react-scripts>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>@jest/reporters>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>jest-config>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>jest-snapshot>@jest/transform>jest-haste-map>micromatch"]},{"version":"4.0.5","paths":["react-scripts>babel-jest>@jest/transform>micromatch","react-scripts>jest>@jest/core>@jest/transform>micromatch","react-scripts>jest>@jest/core>@jest/reporters>@jest/transform>micromatch","react-scripts>jest>@jest/core>jest-config>babel-jest>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>babel-jest>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>jest-snapshot>@jest/transform>micromatch"]},{"version":"4.0.5","paths":["react-scripts>eslint-webpack-plugin>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>jest-message-util>micromatch","react-scripts>jest>@jest/core>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/reporters>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/reporters>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/globals>@jest/environment>@jest/fake-timers>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>jest-config>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>micromatch","react-scripts>jest>jest-cli>@jest/core>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest-watch-typeahead>jest-watcher>@jest/test-result>@jest/console>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>tailwindcss>micromatch"]},{"version":"4.0.5","paths":["http-proxy-middleware>micromatch","react-scripts>webpack-dev-server>http-proxy-middleware>micromatch"]},{"version":"4.0.7","paths":["micromatch"]}],"metadata":null,"vulnerable_versions":"<4.0.8","module_name":"micromatch","severity":"moderate","github_advisory_id":"GHSA-952p-6rrq-rcjv","cves":["CVE-2024-4067"],"access":"public","patched_versions":">=4.0.8","cvss":{"score":5.3,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},"updated":"2024-08-28T13:12:27.000Z","recommendation":"Upgrade to version 4.0.8 or later","cwe":["CWE-1333"],"found_by":null,"deleted":null,"id":1098681,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2024-4067\n- https://github.com/micromatch/micromatch/issues/243\n- https://github.com/micromatch/micromatch/pull/247\n- https://devhub.checkmarx.com/cve-details/CVE-2024-4067\n- https://github.com/micromatch/micromatch/blob/2c56a8604b68c1099e7bc0f807ce0865a339747a/index.js#L448\n- https://github.com/micromatch/micromatch/commit/500d5d6f42f0e8dfa1cb5464c6cb420b1b6aaaa0\n- https://github.com/micromatch/micromatch/pull/266\n- https://github.com/micromatch/micromatch/commit/03aa8052171e878897eee5d7bb2ae0ae83ec2ade\n- https://advisory.checkmarx.net/advisory/CVE-2024-4067\n- https://github.com/micromatch/micromatch/releases/tag/4.0.8\n- https://github.com/advisories/GHSA-952p-6rrq-rcjv","created":"2024-05-14T18:30:54.000Z","reported_by":null,"title":"Regular Expression Denial of Service (ReDoS) in micromatch","npm_advisory_id":null,"overview":"The NPM package `micromatch` prior to version 4.0.8 is vulnerable to Regular Expression Denial of Service (ReDoS). The vulnerability occurs in `micromatch.braces()` in `index.js` because the pattern `.*` will greedily match anything. By passing a malicious payload, the pattern matching will keep backtracking to the input while it doesn't find the closing bracket. As the input size increases, the consumption time will also increase until it causes the application to hang or slow down. There was a merged fix but further testing shows the issue persisted prior to https://github.com/micromatch/micromatch/pull/266. This issue should be mitigated by using a safe pattern that won't start backtracking the regular expression due to greedy matching.\n","url":"https://github.com/advisories/GHSA-952p-6rrq-rcjv"}}} +{"type":"auditAdvisory","data":{"resolution":{"id":1098681,"path":"react-scripts>tailwindcss>fast-glob>micromatch","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"4.0.5","paths":["@testing-library/jest-dom>@types/testing-library__jest-dom>@types/jest>expect>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>tailwindcss>fast-glob>micromatch","react-scripts>react-dev-utils>globby>fast-glob>micromatch","eslint-plugin-jest>@typescript-eslint/experimental-utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/parser>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest-resolve>jest-haste-map>micromatch","react-scripts>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>@jest/reporters>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>jest-config>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>jest-snapshot>@jest/transform>jest-haste-map>micromatch"]},{"version":"4.0.5","paths":["react-scripts>babel-jest>@jest/transform>micromatch","react-scripts>jest>@jest/core>@jest/transform>micromatch","react-scripts>jest>@jest/core>@jest/reporters>@jest/transform>micromatch","react-scripts>jest>@jest/core>jest-config>babel-jest>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>babel-jest>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>jest-snapshot>@jest/transform>micromatch"]},{"version":"4.0.5","paths":["react-scripts>eslint-webpack-plugin>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>jest-message-util>micromatch","react-scripts>jest>@jest/core>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/reporters>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/reporters>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/globals>@jest/environment>@jest/fake-timers>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>jest-config>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>micromatch","react-scripts>jest>jest-cli>@jest/core>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest-watch-typeahead>jest-watcher>@jest/test-result>@jest/console>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>tailwindcss>micromatch"]},{"version":"4.0.5","paths":["http-proxy-middleware>micromatch","react-scripts>webpack-dev-server>http-proxy-middleware>micromatch"]},{"version":"4.0.7","paths":["micromatch"]}],"metadata":null,"vulnerable_versions":"<4.0.8","module_name":"micromatch","severity":"moderate","github_advisory_id":"GHSA-952p-6rrq-rcjv","cves":["CVE-2024-4067"],"access":"public","patched_versions":">=4.0.8","cvss":{"score":5.3,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},"updated":"2024-08-28T13:12:27.000Z","recommendation":"Upgrade to version 4.0.8 or later","cwe":["CWE-1333"],"found_by":null,"deleted":null,"id":1098681,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2024-4067\n- https://github.com/micromatch/micromatch/issues/243\n- https://github.com/micromatch/micromatch/pull/247\n- https://devhub.checkmarx.com/cve-details/CVE-2024-4067\n- https://github.com/micromatch/micromatch/blob/2c56a8604b68c1099e7bc0f807ce0865a339747a/index.js#L448\n- https://github.com/micromatch/micromatch/commit/500d5d6f42f0e8dfa1cb5464c6cb420b1b6aaaa0\n- https://github.com/micromatch/micromatch/pull/266\n- https://github.com/micromatch/micromatch/commit/03aa8052171e878897eee5d7bb2ae0ae83ec2ade\n- https://advisory.checkmarx.net/advisory/CVE-2024-4067\n- https://github.com/micromatch/micromatch/releases/tag/4.0.8\n- https://github.com/advisories/GHSA-952p-6rrq-rcjv","created":"2024-05-14T18:30:54.000Z","reported_by":null,"title":"Regular Expression Denial of Service (ReDoS) in micromatch","npm_advisory_id":null,"overview":"The NPM package `micromatch` prior to version 4.0.8 is vulnerable to Regular Expression Denial of Service (ReDoS). The vulnerability occurs in `micromatch.braces()` in `index.js` because the pattern `.*` will greedily match anything. By passing a malicious payload, the pattern matching will keep backtracking to the input while it doesn't find the closing bracket. As the input size increases, the consumption time will also increase until it causes the application to hang or slow down. There was a merged fix but further testing shows the issue persisted prior to https://github.com/micromatch/micromatch/pull/266. This issue should be mitigated by using a safe pattern that won't start backtracking the regular expression due to greedy matching.\n","url":"https://github.com/advisories/GHSA-952p-6rrq-rcjv"}}} +{"type":"auditAdvisory","data":{"resolution":{"id":1098681,"path":"react-scripts>react-dev-utils>globby>fast-glob>micromatch","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"4.0.5","paths":["@testing-library/jest-dom>@types/testing-library__jest-dom>@types/jest>expect>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>tailwindcss>fast-glob>micromatch","react-scripts>react-dev-utils>globby>fast-glob>micromatch","eslint-plugin-jest>@typescript-eslint/experimental-utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/parser>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest-resolve>jest-haste-map>micromatch","react-scripts>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>@jest/reporters>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>jest-config>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>jest-snapshot>@jest/transform>jest-haste-map>micromatch"]},{"version":"4.0.5","paths":["react-scripts>babel-jest>@jest/transform>micromatch","react-scripts>jest>@jest/core>@jest/transform>micromatch","react-scripts>jest>@jest/core>@jest/reporters>@jest/transform>micromatch","react-scripts>jest>@jest/core>jest-config>babel-jest>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>babel-jest>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>jest-snapshot>@jest/transform>micromatch"]},{"version":"4.0.5","paths":["react-scripts>eslint-webpack-plugin>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>jest-message-util>micromatch","react-scripts>jest>@jest/core>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/reporters>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/reporters>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/globals>@jest/environment>@jest/fake-timers>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>jest-config>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>micromatch","react-scripts>jest>jest-cli>@jest/core>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest-watch-typeahead>jest-watcher>@jest/test-result>@jest/console>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>tailwindcss>micromatch"]},{"version":"4.0.5","paths":["http-proxy-middleware>micromatch","react-scripts>webpack-dev-server>http-proxy-middleware>micromatch"]},{"version":"4.0.7","paths":["micromatch"]}],"metadata":null,"vulnerable_versions":"<4.0.8","module_name":"micromatch","severity":"moderate","github_advisory_id":"GHSA-952p-6rrq-rcjv","cves":["CVE-2024-4067"],"access":"public","patched_versions":">=4.0.8","cvss":{"score":5.3,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},"updated":"2024-08-28T13:12:27.000Z","recommendation":"Upgrade to version 4.0.8 or later","cwe":["CWE-1333"],"found_by":null,"deleted":null,"id":1098681,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2024-4067\n- https://github.com/micromatch/micromatch/issues/243\n- https://github.com/micromatch/micromatch/pull/247\n- https://devhub.checkmarx.com/cve-details/CVE-2024-4067\n- https://github.com/micromatch/micromatch/blob/2c56a8604b68c1099e7bc0f807ce0865a339747a/index.js#L448\n- https://github.com/micromatch/micromatch/commit/500d5d6f42f0e8dfa1cb5464c6cb420b1b6aaaa0\n- https://github.com/micromatch/micromatch/pull/266\n- https://github.com/micromatch/micromatch/commit/03aa8052171e878897eee5d7bb2ae0ae83ec2ade\n- https://advisory.checkmarx.net/advisory/CVE-2024-4067\n- https://github.com/micromatch/micromatch/releases/tag/4.0.8\n- https://github.com/advisories/GHSA-952p-6rrq-rcjv","created":"2024-05-14T18:30:54.000Z","reported_by":null,"title":"Regular Expression Denial of Service (ReDoS) in micromatch","npm_advisory_id":null,"overview":"The NPM package `micromatch` prior to version 4.0.8 is vulnerable to Regular Expression Denial of Service (ReDoS). The vulnerability occurs in `micromatch.braces()` in `index.js` because the pattern `.*` will greedily match anything. By passing a malicious payload, the pattern matching will keep backtracking to the input while it doesn't find the closing bracket. As the input size increases, the consumption time will also increase until it causes the application to hang or slow down. There was a merged fix but further testing shows the issue persisted prior to https://github.com/micromatch/micromatch/pull/266. This issue should be mitigated by using a safe pattern that won't start backtracking the regular expression due to greedy matching.\n","url":"https://github.com/advisories/GHSA-952p-6rrq-rcjv"}}} +{"type":"auditAdvisory","data":{"resolution":{"id":1098681,"path":"eslint-plugin-jest>@typescript-eslint/experimental-utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"4.0.5","paths":["@testing-library/jest-dom>@types/testing-library__jest-dom>@types/jest>expect>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>tailwindcss>fast-glob>micromatch","react-scripts>react-dev-utils>globby>fast-glob>micromatch","eslint-plugin-jest>@typescript-eslint/experimental-utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/parser>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest-resolve>jest-haste-map>micromatch","react-scripts>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>@jest/reporters>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>jest-config>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>jest-snapshot>@jest/transform>jest-haste-map>micromatch"]},{"version":"4.0.5","paths":["react-scripts>babel-jest>@jest/transform>micromatch","react-scripts>jest>@jest/core>@jest/transform>micromatch","react-scripts>jest>@jest/core>@jest/reporters>@jest/transform>micromatch","react-scripts>jest>@jest/core>jest-config>babel-jest>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>babel-jest>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>jest-snapshot>@jest/transform>micromatch"]},{"version":"4.0.5","paths":["react-scripts>eslint-webpack-plugin>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>jest-message-util>micromatch","react-scripts>jest>@jest/core>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/reporters>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/reporters>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/globals>@jest/environment>@jest/fake-timers>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>jest-config>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>micromatch","react-scripts>jest>jest-cli>@jest/core>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest-watch-typeahead>jest-watcher>@jest/test-result>@jest/console>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>tailwindcss>micromatch"]},{"version":"4.0.5","paths":["http-proxy-middleware>micromatch","react-scripts>webpack-dev-server>http-proxy-middleware>micromatch"]},{"version":"4.0.7","paths":["micromatch"]}],"metadata":null,"vulnerable_versions":"<4.0.8","module_name":"micromatch","severity":"moderate","github_advisory_id":"GHSA-952p-6rrq-rcjv","cves":["CVE-2024-4067"],"access":"public","patched_versions":">=4.0.8","cvss":{"score":5.3,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},"updated":"2024-08-28T13:12:27.000Z","recommendation":"Upgrade to version 4.0.8 or later","cwe":["CWE-1333"],"found_by":null,"deleted":null,"id":1098681,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2024-4067\n- https://github.com/micromatch/micromatch/issues/243\n- https://github.com/micromatch/micromatch/pull/247\n- https://devhub.checkmarx.com/cve-details/CVE-2024-4067\n- https://github.com/micromatch/micromatch/blob/2c56a8604b68c1099e7bc0f807ce0865a339747a/index.js#L448\n- https://github.com/micromatch/micromatch/commit/500d5d6f42f0e8dfa1cb5464c6cb420b1b6aaaa0\n- https://github.com/micromatch/micromatch/pull/266\n- https://github.com/micromatch/micromatch/commit/03aa8052171e878897eee5d7bb2ae0ae83ec2ade\n- https://advisory.checkmarx.net/advisory/CVE-2024-4067\n- https://github.com/micromatch/micromatch/releases/tag/4.0.8\n- https://github.com/advisories/GHSA-952p-6rrq-rcjv","created":"2024-05-14T18:30:54.000Z","reported_by":null,"title":"Regular Expression Denial of Service (ReDoS) in micromatch","npm_advisory_id":null,"overview":"The NPM package `micromatch` prior to version 4.0.8 is vulnerable to Regular Expression Denial of Service (ReDoS). The vulnerability occurs in `micromatch.braces()` in `index.js` because the pattern `.*` will greedily match anything. By passing a malicious payload, the pattern matching will keep backtracking to the input while it doesn't find the closing bracket. As the input size increases, the consumption time will also increase until it causes the application to hang or slow down. There was a merged fix but further testing shows the issue persisted prior to https://github.com/micromatch/micromatch/pull/266. This issue should be mitigated by using a safe pattern that won't start backtracking the regular expression due to greedy matching.\n","url":"https://github.com/advisories/GHSA-952p-6rrq-rcjv"}}} +{"type":"auditAdvisory","data":{"resolution":{"id":1098681,"path":"react-scripts>eslint-config-react-app>@typescript-eslint/parser>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"4.0.5","paths":["@testing-library/jest-dom>@types/testing-library__jest-dom>@types/jest>expect>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>tailwindcss>fast-glob>micromatch","react-scripts>react-dev-utils>globby>fast-glob>micromatch","eslint-plugin-jest>@typescript-eslint/experimental-utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/parser>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest-resolve>jest-haste-map>micromatch","react-scripts>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>@jest/reporters>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>jest-config>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>jest-snapshot>@jest/transform>jest-haste-map>micromatch"]},{"version":"4.0.5","paths":["react-scripts>babel-jest>@jest/transform>micromatch","react-scripts>jest>@jest/core>@jest/transform>micromatch","react-scripts>jest>@jest/core>@jest/reporters>@jest/transform>micromatch","react-scripts>jest>@jest/core>jest-config>babel-jest>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>babel-jest>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>jest-snapshot>@jest/transform>micromatch"]},{"version":"4.0.5","paths":["react-scripts>eslint-webpack-plugin>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>jest-message-util>micromatch","react-scripts>jest>@jest/core>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/reporters>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/reporters>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/globals>@jest/environment>@jest/fake-timers>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>jest-config>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>micromatch","react-scripts>jest>jest-cli>@jest/core>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest-watch-typeahead>jest-watcher>@jest/test-result>@jest/console>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>tailwindcss>micromatch"]},{"version":"4.0.5","paths":["http-proxy-middleware>micromatch","react-scripts>webpack-dev-server>http-proxy-middleware>micromatch"]},{"version":"4.0.7","paths":["micromatch"]}],"metadata":null,"vulnerable_versions":"<4.0.8","module_name":"micromatch","severity":"moderate","github_advisory_id":"GHSA-952p-6rrq-rcjv","cves":["CVE-2024-4067"],"access":"public","patched_versions":">=4.0.8","cvss":{"score":5.3,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},"updated":"2024-08-28T13:12:27.000Z","recommendation":"Upgrade to version 4.0.8 or later","cwe":["CWE-1333"],"found_by":null,"deleted":null,"id":1098681,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2024-4067\n- https://github.com/micromatch/micromatch/issues/243\n- https://github.com/micromatch/micromatch/pull/247\n- https://devhub.checkmarx.com/cve-details/CVE-2024-4067\n- https://github.com/micromatch/micromatch/blob/2c56a8604b68c1099e7bc0f807ce0865a339747a/index.js#L448\n- https://github.com/micromatch/micromatch/commit/500d5d6f42f0e8dfa1cb5464c6cb420b1b6aaaa0\n- https://github.com/micromatch/micromatch/pull/266\n- https://github.com/micromatch/micromatch/commit/03aa8052171e878897eee5d7bb2ae0ae83ec2ade\n- https://advisory.checkmarx.net/advisory/CVE-2024-4067\n- https://github.com/micromatch/micromatch/releases/tag/4.0.8\n- https://github.com/advisories/GHSA-952p-6rrq-rcjv","created":"2024-05-14T18:30:54.000Z","reported_by":null,"title":"Regular Expression Denial of Service (ReDoS) in micromatch","npm_advisory_id":null,"overview":"The NPM package `micromatch` prior to version 4.0.8 is vulnerable to Regular Expression Denial of Service (ReDoS). The vulnerability occurs in `micromatch.braces()` in `index.js` because the pattern `.*` will greedily match anything. By passing a malicious payload, the pattern matching will keep backtracking to the input while it doesn't find the closing bracket. As the input size increases, the consumption time will also increase until it causes the application to hang or slow down. There was a merged fix but further testing shows the issue persisted prior to https://github.com/micromatch/micromatch/pull/266. This issue should be mitigated by using a safe pattern that won't start backtracking the regular expression due to greedy matching.\n","url":"https://github.com/advisories/GHSA-952p-6rrq-rcjv"}}} +{"type":"auditAdvisory","data":{"resolution":{"id":1098681,"path":"react-scripts>eslint-config-react-app>@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"4.0.5","paths":["@testing-library/jest-dom>@types/testing-library__jest-dom>@types/jest>expect>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>tailwindcss>fast-glob>micromatch","react-scripts>react-dev-utils>globby>fast-glob>micromatch","eslint-plugin-jest>@typescript-eslint/experimental-utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/parser>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest-resolve>jest-haste-map>micromatch","react-scripts>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>@jest/reporters>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>jest-config>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>jest-snapshot>@jest/transform>jest-haste-map>micromatch"]},{"version":"4.0.5","paths":["react-scripts>babel-jest>@jest/transform>micromatch","react-scripts>jest>@jest/core>@jest/transform>micromatch","react-scripts>jest>@jest/core>@jest/reporters>@jest/transform>micromatch","react-scripts>jest>@jest/core>jest-config>babel-jest>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>babel-jest>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>jest-snapshot>@jest/transform>micromatch"]},{"version":"4.0.5","paths":["react-scripts>eslint-webpack-plugin>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>jest-message-util>micromatch","react-scripts>jest>@jest/core>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/reporters>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/reporters>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/globals>@jest/environment>@jest/fake-timers>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>jest-config>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>micromatch","react-scripts>jest>jest-cli>@jest/core>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest-watch-typeahead>jest-watcher>@jest/test-result>@jest/console>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>tailwindcss>micromatch"]},{"version":"4.0.5","paths":["http-proxy-middleware>micromatch","react-scripts>webpack-dev-server>http-proxy-middleware>micromatch"]},{"version":"4.0.7","paths":["micromatch"]}],"metadata":null,"vulnerable_versions":"<4.0.8","module_name":"micromatch","severity":"moderate","github_advisory_id":"GHSA-952p-6rrq-rcjv","cves":["CVE-2024-4067"],"access":"public","patched_versions":">=4.0.8","cvss":{"score":5.3,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},"updated":"2024-08-28T13:12:27.000Z","recommendation":"Upgrade to version 4.0.8 or later","cwe":["CWE-1333"],"found_by":null,"deleted":null,"id":1098681,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2024-4067\n- https://github.com/micromatch/micromatch/issues/243\n- https://github.com/micromatch/micromatch/pull/247\n- https://devhub.checkmarx.com/cve-details/CVE-2024-4067\n- https://github.com/micromatch/micromatch/blob/2c56a8604b68c1099e7bc0f807ce0865a339747a/index.js#L448\n- https://github.com/micromatch/micromatch/commit/500d5d6f42f0e8dfa1cb5464c6cb420b1b6aaaa0\n- https://github.com/micromatch/micromatch/pull/266\n- https://github.com/micromatch/micromatch/commit/03aa8052171e878897eee5d7bb2ae0ae83ec2ade\n- https://advisory.checkmarx.net/advisory/CVE-2024-4067\n- https://github.com/micromatch/micromatch/releases/tag/4.0.8\n- https://github.com/advisories/GHSA-952p-6rrq-rcjv","created":"2024-05-14T18:30:54.000Z","reported_by":null,"title":"Regular Expression Denial of Service (ReDoS) in micromatch","npm_advisory_id":null,"overview":"The NPM package `micromatch` prior to version 4.0.8 is vulnerable to Regular Expression Denial of Service (ReDoS). The vulnerability occurs in `micromatch.braces()` in `index.js` because the pattern `.*` will greedily match anything. By passing a malicious payload, the pattern matching will keep backtracking to the input while it doesn't find the closing bracket. As the input size increases, the consumption time will also increase until it causes the application to hang or slow down. There was a merged fix but further testing shows the issue persisted prior to https://github.com/micromatch/micromatch/pull/266. This issue should be mitigated by using a safe pattern that won't start backtracking the regular expression due to greedy matching.\n","url":"https://github.com/advisories/GHSA-952p-6rrq-rcjv"}}} +{"type":"auditAdvisory","data":{"resolution":{"id":1098681,"path":"react-scripts>eslint-config-react-app>@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"4.0.5","paths":["@testing-library/jest-dom>@types/testing-library__jest-dom>@types/jest>expect>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>tailwindcss>fast-glob>micromatch","react-scripts>react-dev-utils>globby>fast-glob>micromatch","eslint-plugin-jest>@typescript-eslint/experimental-utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/parser>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest-resolve>jest-haste-map>micromatch","react-scripts>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>@jest/reporters>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>jest-config>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>jest-snapshot>@jest/transform>jest-haste-map>micromatch"]},{"version":"4.0.5","paths":["react-scripts>babel-jest>@jest/transform>micromatch","react-scripts>jest>@jest/core>@jest/transform>micromatch","react-scripts>jest>@jest/core>@jest/reporters>@jest/transform>micromatch","react-scripts>jest>@jest/core>jest-config>babel-jest>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>babel-jest>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>jest-snapshot>@jest/transform>micromatch"]},{"version":"4.0.5","paths":["react-scripts>eslint-webpack-plugin>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>jest-message-util>micromatch","react-scripts>jest>@jest/core>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/reporters>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/reporters>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/globals>@jest/environment>@jest/fake-timers>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>jest-config>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>micromatch","react-scripts>jest>jest-cli>@jest/core>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest-watch-typeahead>jest-watcher>@jest/test-result>@jest/console>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>tailwindcss>micromatch"]},{"version":"4.0.5","paths":["http-proxy-middleware>micromatch","react-scripts>webpack-dev-server>http-proxy-middleware>micromatch"]},{"version":"4.0.7","paths":["micromatch"]}],"metadata":null,"vulnerable_versions":"<4.0.8","module_name":"micromatch","severity":"moderate","github_advisory_id":"GHSA-952p-6rrq-rcjv","cves":["CVE-2024-4067"],"access":"public","patched_versions":">=4.0.8","cvss":{"score":5.3,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},"updated":"2024-08-28T13:12:27.000Z","recommendation":"Upgrade to version 4.0.8 or later","cwe":["CWE-1333"],"found_by":null,"deleted":null,"id":1098681,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2024-4067\n- https://github.com/micromatch/micromatch/issues/243\n- https://github.com/micromatch/micromatch/pull/247\n- https://devhub.checkmarx.com/cve-details/CVE-2024-4067\n- https://github.com/micromatch/micromatch/blob/2c56a8604b68c1099e7bc0f807ce0865a339747a/index.js#L448\n- https://github.com/micromatch/micromatch/commit/500d5d6f42f0e8dfa1cb5464c6cb420b1b6aaaa0\n- https://github.com/micromatch/micromatch/pull/266\n- https://github.com/micromatch/micromatch/commit/03aa8052171e878897eee5d7bb2ae0ae83ec2ade\n- https://advisory.checkmarx.net/advisory/CVE-2024-4067\n- https://github.com/micromatch/micromatch/releases/tag/4.0.8\n- https://github.com/advisories/GHSA-952p-6rrq-rcjv","created":"2024-05-14T18:30:54.000Z","reported_by":null,"title":"Regular Expression Denial of Service (ReDoS) in micromatch","npm_advisory_id":null,"overview":"The NPM package `micromatch` prior to version 4.0.8 is vulnerable to Regular Expression Denial of Service (ReDoS). The vulnerability occurs in `micromatch.braces()` in `index.js` because the pattern `.*` will greedily match anything. By passing a malicious payload, the pattern matching will keep backtracking to the input while it doesn't find the closing bracket. As the input size increases, the consumption time will also increase until it causes the application to hang or slow down. There was a merged fix but further testing shows the issue persisted prior to https://github.com/micromatch/micromatch/pull/266. This issue should be mitigated by using a safe pattern that won't start backtracking the regular expression due to greedy matching.\n","url":"https://github.com/advisories/GHSA-952p-6rrq-rcjv"}}} +{"type":"auditAdvisory","data":{"resolution":{"id":1098681,"path":"react-scripts>jest-resolve>jest-haste-map>micromatch","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"4.0.5","paths":["@testing-library/jest-dom>@types/testing-library__jest-dom>@types/jest>expect>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>tailwindcss>fast-glob>micromatch","react-scripts>react-dev-utils>globby>fast-glob>micromatch","eslint-plugin-jest>@typescript-eslint/experimental-utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/parser>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest-resolve>jest-haste-map>micromatch","react-scripts>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>@jest/reporters>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>jest-config>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>jest-snapshot>@jest/transform>jest-haste-map>micromatch"]},{"version":"4.0.5","paths":["react-scripts>babel-jest>@jest/transform>micromatch","react-scripts>jest>@jest/core>@jest/transform>micromatch","react-scripts>jest>@jest/core>@jest/reporters>@jest/transform>micromatch","react-scripts>jest>@jest/core>jest-config>babel-jest>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>babel-jest>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>jest-snapshot>@jest/transform>micromatch"]},{"version":"4.0.5","paths":["react-scripts>eslint-webpack-plugin>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>jest-message-util>micromatch","react-scripts>jest>@jest/core>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/reporters>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/reporters>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/globals>@jest/environment>@jest/fake-timers>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>jest-config>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>micromatch","react-scripts>jest>jest-cli>@jest/core>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest-watch-typeahead>jest-watcher>@jest/test-result>@jest/console>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>tailwindcss>micromatch"]},{"version":"4.0.5","paths":["http-proxy-middleware>micromatch","react-scripts>webpack-dev-server>http-proxy-middleware>micromatch"]},{"version":"4.0.7","paths":["micromatch"]}],"metadata":null,"vulnerable_versions":"<4.0.8","module_name":"micromatch","severity":"moderate","github_advisory_id":"GHSA-952p-6rrq-rcjv","cves":["CVE-2024-4067"],"access":"public","patched_versions":">=4.0.8","cvss":{"score":5.3,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},"updated":"2024-08-28T13:12:27.000Z","recommendation":"Upgrade to version 4.0.8 or later","cwe":["CWE-1333"],"found_by":null,"deleted":null,"id":1098681,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2024-4067\n- https://github.com/micromatch/micromatch/issues/243\n- https://github.com/micromatch/micromatch/pull/247\n- https://devhub.checkmarx.com/cve-details/CVE-2024-4067\n- https://github.com/micromatch/micromatch/blob/2c56a8604b68c1099e7bc0f807ce0865a339747a/index.js#L448\n- https://github.com/micromatch/micromatch/commit/500d5d6f42f0e8dfa1cb5464c6cb420b1b6aaaa0\n- https://github.com/micromatch/micromatch/pull/266\n- https://github.com/micromatch/micromatch/commit/03aa8052171e878897eee5d7bb2ae0ae83ec2ade\n- https://advisory.checkmarx.net/advisory/CVE-2024-4067\n- https://github.com/micromatch/micromatch/releases/tag/4.0.8\n- https://github.com/advisories/GHSA-952p-6rrq-rcjv","created":"2024-05-14T18:30:54.000Z","reported_by":null,"title":"Regular Expression Denial of Service (ReDoS) in micromatch","npm_advisory_id":null,"overview":"The NPM package `micromatch` prior to version 4.0.8 is vulnerable to Regular Expression Denial of Service (ReDoS). The vulnerability occurs in `micromatch.braces()` in `index.js` because the pattern `.*` will greedily match anything. By passing a malicious payload, the pattern matching will keep backtracking to the input while it doesn't find the closing bracket. As the input size increases, the consumption time will also increase until it causes the application to hang or slow down. There was a merged fix but further testing shows the issue persisted prior to https://github.com/micromatch/micromatch/pull/266. This issue should be mitigated by using a safe pattern that won't start backtracking the regular expression due to greedy matching.\n","url":"https://github.com/advisories/GHSA-952p-6rrq-rcjv"}}} +{"type":"auditAdvisory","data":{"resolution":{"id":1098681,"path":"react-scripts>babel-jest>@jest/transform>jest-haste-map>micromatch","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"4.0.5","paths":["@testing-library/jest-dom>@types/testing-library__jest-dom>@types/jest>expect>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>tailwindcss>fast-glob>micromatch","react-scripts>react-dev-utils>globby>fast-glob>micromatch","eslint-plugin-jest>@typescript-eslint/experimental-utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/parser>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest-resolve>jest-haste-map>micromatch","react-scripts>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>@jest/reporters>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>jest-config>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>jest-snapshot>@jest/transform>jest-haste-map>micromatch"]},{"version":"4.0.5","paths":["react-scripts>babel-jest>@jest/transform>micromatch","react-scripts>jest>@jest/core>@jest/transform>micromatch","react-scripts>jest>@jest/core>@jest/reporters>@jest/transform>micromatch","react-scripts>jest>@jest/core>jest-config>babel-jest>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>babel-jest>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>jest-snapshot>@jest/transform>micromatch"]},{"version":"4.0.5","paths":["react-scripts>eslint-webpack-plugin>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>jest-message-util>micromatch","react-scripts>jest>@jest/core>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/reporters>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/reporters>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/globals>@jest/environment>@jest/fake-timers>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>jest-config>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>micromatch","react-scripts>jest>jest-cli>@jest/core>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest-watch-typeahead>jest-watcher>@jest/test-result>@jest/console>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>tailwindcss>micromatch"]},{"version":"4.0.5","paths":["http-proxy-middleware>micromatch","react-scripts>webpack-dev-server>http-proxy-middleware>micromatch"]},{"version":"4.0.7","paths":["micromatch"]}],"metadata":null,"vulnerable_versions":"<4.0.8","module_name":"micromatch","severity":"moderate","github_advisory_id":"GHSA-952p-6rrq-rcjv","cves":["CVE-2024-4067"],"access":"public","patched_versions":">=4.0.8","cvss":{"score":5.3,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},"updated":"2024-08-28T13:12:27.000Z","recommendation":"Upgrade to version 4.0.8 or later","cwe":["CWE-1333"],"found_by":null,"deleted":null,"id":1098681,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2024-4067\n- https://github.com/micromatch/micromatch/issues/243\n- https://github.com/micromatch/micromatch/pull/247\n- https://devhub.checkmarx.com/cve-details/CVE-2024-4067\n- https://github.com/micromatch/micromatch/blob/2c56a8604b68c1099e7bc0f807ce0865a339747a/index.js#L448\n- https://github.com/micromatch/micromatch/commit/500d5d6f42f0e8dfa1cb5464c6cb420b1b6aaaa0\n- https://github.com/micromatch/micromatch/pull/266\n- https://github.com/micromatch/micromatch/commit/03aa8052171e878897eee5d7bb2ae0ae83ec2ade\n- https://advisory.checkmarx.net/advisory/CVE-2024-4067\n- https://github.com/micromatch/micromatch/releases/tag/4.0.8\n- https://github.com/advisories/GHSA-952p-6rrq-rcjv","created":"2024-05-14T18:30:54.000Z","reported_by":null,"title":"Regular Expression Denial of Service (ReDoS) in micromatch","npm_advisory_id":null,"overview":"The NPM package `micromatch` prior to version 4.0.8 is vulnerable to Regular Expression Denial of Service (ReDoS). The vulnerability occurs in `micromatch.braces()` in `index.js` because the pattern `.*` will greedily match anything. By passing a malicious payload, the pattern matching will keep backtracking to the input while it doesn't find the closing bracket. As the input size increases, the consumption time will also increase until it causes the application to hang or slow down. There was a merged fix but further testing shows the issue persisted prior to https://github.com/micromatch/micromatch/pull/266. This issue should be mitigated by using a safe pattern that won't start backtracking the regular expression due to greedy matching.\n","url":"https://github.com/advisories/GHSA-952p-6rrq-rcjv"}}} +{"type":"auditAdvisory","data":{"resolution":{"id":1098681,"path":"react-scripts>jest>@jest/core>@jest/transform>jest-haste-map>micromatch","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"4.0.5","paths":["@testing-library/jest-dom>@types/testing-library__jest-dom>@types/jest>expect>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>tailwindcss>fast-glob>micromatch","react-scripts>react-dev-utils>globby>fast-glob>micromatch","eslint-plugin-jest>@typescript-eslint/experimental-utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/parser>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest-resolve>jest-haste-map>micromatch","react-scripts>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>@jest/reporters>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>jest-config>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>jest-snapshot>@jest/transform>jest-haste-map>micromatch"]},{"version":"4.0.5","paths":["react-scripts>babel-jest>@jest/transform>micromatch","react-scripts>jest>@jest/core>@jest/transform>micromatch","react-scripts>jest>@jest/core>@jest/reporters>@jest/transform>micromatch","react-scripts>jest>@jest/core>jest-config>babel-jest>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>babel-jest>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>jest-snapshot>@jest/transform>micromatch"]},{"version":"4.0.5","paths":["react-scripts>eslint-webpack-plugin>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>jest-message-util>micromatch","react-scripts>jest>@jest/core>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/reporters>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/reporters>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/globals>@jest/environment>@jest/fake-timers>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>jest-config>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>micromatch","react-scripts>jest>jest-cli>@jest/core>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest-watch-typeahead>jest-watcher>@jest/test-result>@jest/console>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>tailwindcss>micromatch"]},{"version":"4.0.5","paths":["http-proxy-middleware>micromatch","react-scripts>webpack-dev-server>http-proxy-middleware>micromatch"]},{"version":"4.0.7","paths":["micromatch"]}],"metadata":null,"vulnerable_versions":"<4.0.8","module_name":"micromatch","severity":"moderate","github_advisory_id":"GHSA-952p-6rrq-rcjv","cves":["CVE-2024-4067"],"access":"public","patched_versions":">=4.0.8","cvss":{"score":5.3,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},"updated":"2024-08-28T13:12:27.000Z","recommendation":"Upgrade to version 4.0.8 or later","cwe":["CWE-1333"],"found_by":null,"deleted":null,"id":1098681,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2024-4067\n- https://github.com/micromatch/micromatch/issues/243\n- https://github.com/micromatch/micromatch/pull/247\n- https://devhub.checkmarx.com/cve-details/CVE-2024-4067\n- https://github.com/micromatch/micromatch/blob/2c56a8604b68c1099e7bc0f807ce0865a339747a/index.js#L448\n- https://github.com/micromatch/micromatch/commit/500d5d6f42f0e8dfa1cb5464c6cb420b1b6aaaa0\n- https://github.com/micromatch/micromatch/pull/266\n- https://github.com/micromatch/micromatch/commit/03aa8052171e878897eee5d7bb2ae0ae83ec2ade\n- https://advisory.checkmarx.net/advisory/CVE-2024-4067\n- https://github.com/micromatch/micromatch/releases/tag/4.0.8\n- https://github.com/advisories/GHSA-952p-6rrq-rcjv","created":"2024-05-14T18:30:54.000Z","reported_by":null,"title":"Regular Expression Denial of Service (ReDoS) in micromatch","npm_advisory_id":null,"overview":"The NPM package `micromatch` prior to version 4.0.8 is vulnerable to Regular Expression Denial of Service (ReDoS). The vulnerability occurs in `micromatch.braces()` in `index.js` because the pattern `.*` will greedily match anything. By passing a malicious payload, the pattern matching will keep backtracking to the input while it doesn't find the closing bracket. As the input size increases, the consumption time will also increase until it causes the application to hang or slow down. There was a merged fix but further testing shows the issue persisted prior to https://github.com/micromatch/micromatch/pull/266. This issue should be mitigated by using a safe pattern that won't start backtracking the regular expression due to greedy matching.\n","url":"https://github.com/advisories/GHSA-952p-6rrq-rcjv"}}} +{"type":"auditAdvisory","data":{"resolution":{"id":1098681,"path":"react-scripts>jest>@jest/core>@jest/reporters>@jest/transform>jest-haste-map>micromatch","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"4.0.5","paths":["@testing-library/jest-dom>@types/testing-library__jest-dom>@types/jest>expect>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>tailwindcss>fast-glob>micromatch","react-scripts>react-dev-utils>globby>fast-glob>micromatch","eslint-plugin-jest>@typescript-eslint/experimental-utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/parser>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest-resolve>jest-haste-map>micromatch","react-scripts>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>@jest/reporters>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>jest-config>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>jest-snapshot>@jest/transform>jest-haste-map>micromatch"]},{"version":"4.0.5","paths":["react-scripts>babel-jest>@jest/transform>micromatch","react-scripts>jest>@jest/core>@jest/transform>micromatch","react-scripts>jest>@jest/core>@jest/reporters>@jest/transform>micromatch","react-scripts>jest>@jest/core>jest-config>babel-jest>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>babel-jest>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>jest-snapshot>@jest/transform>micromatch"]},{"version":"4.0.5","paths":["react-scripts>eslint-webpack-plugin>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>jest-message-util>micromatch","react-scripts>jest>@jest/core>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/reporters>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/reporters>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/globals>@jest/environment>@jest/fake-timers>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>jest-config>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>micromatch","react-scripts>jest>jest-cli>@jest/core>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest-watch-typeahead>jest-watcher>@jest/test-result>@jest/console>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>tailwindcss>micromatch"]},{"version":"4.0.5","paths":["http-proxy-middleware>micromatch","react-scripts>webpack-dev-server>http-proxy-middleware>micromatch"]},{"version":"4.0.7","paths":["micromatch"]}],"metadata":null,"vulnerable_versions":"<4.0.8","module_name":"micromatch","severity":"moderate","github_advisory_id":"GHSA-952p-6rrq-rcjv","cves":["CVE-2024-4067"],"access":"public","patched_versions":">=4.0.8","cvss":{"score":5.3,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},"updated":"2024-08-28T13:12:27.000Z","recommendation":"Upgrade to version 4.0.8 or later","cwe":["CWE-1333"],"found_by":null,"deleted":null,"id":1098681,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2024-4067\n- https://github.com/micromatch/micromatch/issues/243\n- https://github.com/micromatch/micromatch/pull/247\n- https://devhub.checkmarx.com/cve-details/CVE-2024-4067\n- https://github.com/micromatch/micromatch/blob/2c56a8604b68c1099e7bc0f807ce0865a339747a/index.js#L448\n- https://github.com/micromatch/micromatch/commit/500d5d6f42f0e8dfa1cb5464c6cb420b1b6aaaa0\n- https://github.com/micromatch/micromatch/pull/266\n- https://github.com/micromatch/micromatch/commit/03aa8052171e878897eee5d7bb2ae0ae83ec2ade\n- https://advisory.checkmarx.net/advisory/CVE-2024-4067\n- https://github.com/micromatch/micromatch/releases/tag/4.0.8\n- https://github.com/advisories/GHSA-952p-6rrq-rcjv","created":"2024-05-14T18:30:54.000Z","reported_by":null,"title":"Regular Expression Denial of Service (ReDoS) in micromatch","npm_advisory_id":null,"overview":"The NPM package `micromatch` prior to version 4.0.8 is vulnerable to Regular Expression Denial of Service (ReDoS). The vulnerability occurs in `micromatch.braces()` in `index.js` because the pattern `.*` will greedily match anything. By passing a malicious payload, the pattern matching will keep backtracking to the input while it doesn't find the closing bracket. As the input size increases, the consumption time will also increase until it causes the application to hang or slow down. There was a merged fix but further testing shows the issue persisted prior to https://github.com/micromatch/micromatch/pull/266. This issue should be mitigated by using a safe pattern that won't start backtracking the regular expression due to greedy matching.\n","url":"https://github.com/advisories/GHSA-952p-6rrq-rcjv"}}} +{"type":"auditAdvisory","data":{"resolution":{"id":1098681,"path":"react-scripts>jest>@jest/core>jest-config>babel-jest>@jest/transform>jest-haste-map>micromatch","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"4.0.5","paths":["@testing-library/jest-dom>@types/testing-library__jest-dom>@types/jest>expect>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>tailwindcss>fast-glob>micromatch","react-scripts>react-dev-utils>globby>fast-glob>micromatch","eslint-plugin-jest>@typescript-eslint/experimental-utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/parser>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest-resolve>jest-haste-map>micromatch","react-scripts>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>@jest/reporters>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>jest-config>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>jest-snapshot>@jest/transform>jest-haste-map>micromatch"]},{"version":"4.0.5","paths":["react-scripts>babel-jest>@jest/transform>micromatch","react-scripts>jest>@jest/core>@jest/transform>micromatch","react-scripts>jest>@jest/core>@jest/reporters>@jest/transform>micromatch","react-scripts>jest>@jest/core>jest-config>babel-jest>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>babel-jest>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>jest-snapshot>@jest/transform>micromatch"]},{"version":"4.0.5","paths":["react-scripts>eslint-webpack-plugin>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>jest-message-util>micromatch","react-scripts>jest>@jest/core>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/reporters>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/reporters>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/globals>@jest/environment>@jest/fake-timers>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>jest-config>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>micromatch","react-scripts>jest>jest-cli>@jest/core>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest-watch-typeahead>jest-watcher>@jest/test-result>@jest/console>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>tailwindcss>micromatch"]},{"version":"4.0.5","paths":["http-proxy-middleware>micromatch","react-scripts>webpack-dev-server>http-proxy-middleware>micromatch"]},{"version":"4.0.7","paths":["micromatch"]}],"metadata":null,"vulnerable_versions":"<4.0.8","module_name":"micromatch","severity":"moderate","github_advisory_id":"GHSA-952p-6rrq-rcjv","cves":["CVE-2024-4067"],"access":"public","patched_versions":">=4.0.8","cvss":{"score":5.3,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},"updated":"2024-08-28T13:12:27.000Z","recommendation":"Upgrade to version 4.0.8 or later","cwe":["CWE-1333"],"found_by":null,"deleted":null,"id":1098681,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2024-4067\n- https://github.com/micromatch/micromatch/issues/243\n- https://github.com/micromatch/micromatch/pull/247\n- https://devhub.checkmarx.com/cve-details/CVE-2024-4067\n- https://github.com/micromatch/micromatch/blob/2c56a8604b68c1099e7bc0f807ce0865a339747a/index.js#L448\n- https://github.com/micromatch/micromatch/commit/500d5d6f42f0e8dfa1cb5464c6cb420b1b6aaaa0\n- https://github.com/micromatch/micromatch/pull/266\n- https://github.com/micromatch/micromatch/commit/03aa8052171e878897eee5d7bb2ae0ae83ec2ade\n- https://advisory.checkmarx.net/advisory/CVE-2024-4067\n- https://github.com/micromatch/micromatch/releases/tag/4.0.8\n- https://github.com/advisories/GHSA-952p-6rrq-rcjv","created":"2024-05-14T18:30:54.000Z","reported_by":null,"title":"Regular Expression Denial of Service (ReDoS) in micromatch","npm_advisory_id":null,"overview":"The NPM package `micromatch` prior to version 4.0.8 is vulnerable to Regular Expression Denial of Service (ReDoS). The vulnerability occurs in `micromatch.braces()` in `index.js` because the pattern `.*` will greedily match anything. By passing a malicious payload, the pattern matching will keep backtracking to the input while it doesn't find the closing bracket. As the input size increases, the consumption time will also increase until it causes the application to hang or slow down. There was a merged fix but further testing shows the issue persisted prior to https://github.com/micromatch/micromatch/pull/266. This issue should be mitigated by using a safe pattern that won't start backtracking the regular expression due to greedy matching.\n","url":"https://github.com/advisories/GHSA-952p-6rrq-rcjv"}}} +{"type":"auditAdvisory","data":{"resolution":{"id":1098681,"path":"react-scripts>jest>jest-cli>@jest/core>jest-config>babel-jest>@jest/transform>jest-haste-map>micromatch","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"4.0.5","paths":["@testing-library/jest-dom>@types/testing-library__jest-dom>@types/jest>expect>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>tailwindcss>fast-glob>micromatch","react-scripts>react-dev-utils>globby>fast-glob>micromatch","eslint-plugin-jest>@typescript-eslint/experimental-utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/parser>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest-resolve>jest-haste-map>micromatch","react-scripts>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>@jest/reporters>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>jest-config>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>jest-snapshot>@jest/transform>jest-haste-map>micromatch"]},{"version":"4.0.5","paths":["react-scripts>babel-jest>@jest/transform>micromatch","react-scripts>jest>@jest/core>@jest/transform>micromatch","react-scripts>jest>@jest/core>@jest/reporters>@jest/transform>micromatch","react-scripts>jest>@jest/core>jest-config>babel-jest>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>babel-jest>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>jest-snapshot>@jest/transform>micromatch"]},{"version":"4.0.5","paths":["react-scripts>eslint-webpack-plugin>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>jest-message-util>micromatch","react-scripts>jest>@jest/core>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/reporters>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/reporters>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/globals>@jest/environment>@jest/fake-timers>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>jest-config>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>micromatch","react-scripts>jest>jest-cli>@jest/core>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest-watch-typeahead>jest-watcher>@jest/test-result>@jest/console>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>tailwindcss>micromatch"]},{"version":"4.0.5","paths":["http-proxy-middleware>micromatch","react-scripts>webpack-dev-server>http-proxy-middleware>micromatch"]},{"version":"4.0.7","paths":["micromatch"]}],"metadata":null,"vulnerable_versions":"<4.0.8","module_name":"micromatch","severity":"moderate","github_advisory_id":"GHSA-952p-6rrq-rcjv","cves":["CVE-2024-4067"],"access":"public","patched_versions":">=4.0.8","cvss":{"score":5.3,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},"updated":"2024-08-28T13:12:27.000Z","recommendation":"Upgrade to version 4.0.8 or later","cwe":["CWE-1333"],"found_by":null,"deleted":null,"id":1098681,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2024-4067\n- https://github.com/micromatch/micromatch/issues/243\n- https://github.com/micromatch/micromatch/pull/247\n- https://devhub.checkmarx.com/cve-details/CVE-2024-4067\n- https://github.com/micromatch/micromatch/blob/2c56a8604b68c1099e7bc0f807ce0865a339747a/index.js#L448\n- https://github.com/micromatch/micromatch/commit/500d5d6f42f0e8dfa1cb5464c6cb420b1b6aaaa0\n- https://github.com/micromatch/micromatch/pull/266\n- https://github.com/micromatch/micromatch/commit/03aa8052171e878897eee5d7bb2ae0ae83ec2ade\n- https://advisory.checkmarx.net/advisory/CVE-2024-4067\n- https://github.com/micromatch/micromatch/releases/tag/4.0.8\n- https://github.com/advisories/GHSA-952p-6rrq-rcjv","created":"2024-05-14T18:30:54.000Z","reported_by":null,"title":"Regular Expression Denial of Service (ReDoS) in micromatch","npm_advisory_id":null,"overview":"The NPM package `micromatch` prior to version 4.0.8 is vulnerable to Regular Expression Denial of Service (ReDoS). The vulnerability occurs in `micromatch.braces()` in `index.js` because the pattern `.*` will greedily match anything. By passing a malicious payload, the pattern matching will keep backtracking to the input while it doesn't find the closing bracket. As the input size increases, the consumption time will also increase until it causes the application to hang or slow down. There was a merged fix but further testing shows the issue persisted prior to https://github.com/micromatch/micromatch/pull/266. This issue should be mitigated by using a safe pattern that won't start backtracking the regular expression due to greedy matching.\n","url":"https://github.com/advisories/GHSA-952p-6rrq-rcjv"}}} +{"type":"auditAdvisory","data":{"resolution":{"id":1098681,"path":"react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/transform>jest-haste-map>micromatch","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"4.0.5","paths":["@testing-library/jest-dom>@types/testing-library__jest-dom>@types/jest>expect>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>tailwindcss>fast-glob>micromatch","react-scripts>react-dev-utils>globby>fast-glob>micromatch","eslint-plugin-jest>@typescript-eslint/experimental-utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/parser>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest-resolve>jest-haste-map>micromatch","react-scripts>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>@jest/reporters>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>jest-config>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>jest-snapshot>@jest/transform>jest-haste-map>micromatch"]},{"version":"4.0.5","paths":["react-scripts>babel-jest>@jest/transform>micromatch","react-scripts>jest>@jest/core>@jest/transform>micromatch","react-scripts>jest>@jest/core>@jest/reporters>@jest/transform>micromatch","react-scripts>jest>@jest/core>jest-config>babel-jest>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>babel-jest>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>jest-snapshot>@jest/transform>micromatch"]},{"version":"4.0.5","paths":["react-scripts>eslint-webpack-plugin>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>jest-message-util>micromatch","react-scripts>jest>@jest/core>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/reporters>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/reporters>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/globals>@jest/environment>@jest/fake-timers>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>jest-config>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>micromatch","react-scripts>jest>jest-cli>@jest/core>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest-watch-typeahead>jest-watcher>@jest/test-result>@jest/console>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>tailwindcss>micromatch"]},{"version":"4.0.5","paths":["http-proxy-middleware>micromatch","react-scripts>webpack-dev-server>http-proxy-middleware>micromatch"]},{"version":"4.0.7","paths":["micromatch"]}],"metadata":null,"vulnerable_versions":"<4.0.8","module_name":"micromatch","severity":"moderate","github_advisory_id":"GHSA-952p-6rrq-rcjv","cves":["CVE-2024-4067"],"access":"public","patched_versions":">=4.0.8","cvss":{"score":5.3,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},"updated":"2024-08-28T13:12:27.000Z","recommendation":"Upgrade to version 4.0.8 or later","cwe":["CWE-1333"],"found_by":null,"deleted":null,"id":1098681,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2024-4067\n- https://github.com/micromatch/micromatch/issues/243\n- https://github.com/micromatch/micromatch/pull/247\n- https://devhub.checkmarx.com/cve-details/CVE-2024-4067\n- https://github.com/micromatch/micromatch/blob/2c56a8604b68c1099e7bc0f807ce0865a339747a/index.js#L448\n- https://github.com/micromatch/micromatch/commit/500d5d6f42f0e8dfa1cb5464c6cb420b1b6aaaa0\n- https://github.com/micromatch/micromatch/pull/266\n- https://github.com/micromatch/micromatch/commit/03aa8052171e878897eee5d7bb2ae0ae83ec2ade\n- https://advisory.checkmarx.net/advisory/CVE-2024-4067\n- https://github.com/micromatch/micromatch/releases/tag/4.0.8\n- https://github.com/advisories/GHSA-952p-6rrq-rcjv","created":"2024-05-14T18:30:54.000Z","reported_by":null,"title":"Regular Expression Denial of Service (ReDoS) in micromatch","npm_advisory_id":null,"overview":"The NPM package `micromatch` prior to version 4.0.8 is vulnerable to Regular Expression Denial of Service (ReDoS). The vulnerability occurs in `micromatch.braces()` in `index.js` because the pattern `.*` will greedily match anything. By passing a malicious payload, the pattern matching will keep backtracking to the input while it doesn't find the closing bracket. As the input size increases, the consumption time will also increase until it causes the application to hang or slow down. There was a merged fix but further testing shows the issue persisted prior to https://github.com/micromatch/micromatch/pull/266. This issue should be mitigated by using a safe pattern that won't start backtracking the regular expression due to greedy matching.\n","url":"https://github.com/advisories/GHSA-952p-6rrq-rcjv"}}} +{"type":"auditAdvisory","data":{"resolution":{"id":1098681,"path":"react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>jest-snapshot>@jest/transform>jest-haste-map>micromatch","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"4.0.5","paths":["@testing-library/jest-dom>@types/testing-library__jest-dom>@types/jest>expect>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>tailwindcss>fast-glob>micromatch","react-scripts>react-dev-utils>globby>fast-glob>micromatch","eslint-plugin-jest>@typescript-eslint/experimental-utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/parser>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest-resolve>jest-haste-map>micromatch","react-scripts>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>@jest/reporters>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>jest-config>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>jest-snapshot>@jest/transform>jest-haste-map>micromatch"]},{"version":"4.0.5","paths":["react-scripts>babel-jest>@jest/transform>micromatch","react-scripts>jest>@jest/core>@jest/transform>micromatch","react-scripts>jest>@jest/core>@jest/reporters>@jest/transform>micromatch","react-scripts>jest>@jest/core>jest-config>babel-jest>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>babel-jest>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>jest-snapshot>@jest/transform>micromatch"]},{"version":"4.0.5","paths":["react-scripts>eslint-webpack-plugin>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>jest-message-util>micromatch","react-scripts>jest>@jest/core>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/reporters>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/reporters>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/globals>@jest/environment>@jest/fake-timers>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>jest-config>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>micromatch","react-scripts>jest>jest-cli>@jest/core>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest-watch-typeahead>jest-watcher>@jest/test-result>@jest/console>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>tailwindcss>micromatch"]},{"version":"4.0.5","paths":["http-proxy-middleware>micromatch","react-scripts>webpack-dev-server>http-proxy-middleware>micromatch"]},{"version":"4.0.7","paths":["micromatch"]}],"metadata":null,"vulnerable_versions":"<4.0.8","module_name":"micromatch","severity":"moderate","github_advisory_id":"GHSA-952p-6rrq-rcjv","cves":["CVE-2024-4067"],"access":"public","patched_versions":">=4.0.8","cvss":{"score":5.3,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},"updated":"2024-08-28T13:12:27.000Z","recommendation":"Upgrade to version 4.0.8 or later","cwe":["CWE-1333"],"found_by":null,"deleted":null,"id":1098681,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2024-4067\n- https://github.com/micromatch/micromatch/issues/243\n- https://github.com/micromatch/micromatch/pull/247\n- https://devhub.checkmarx.com/cve-details/CVE-2024-4067\n- https://github.com/micromatch/micromatch/blob/2c56a8604b68c1099e7bc0f807ce0865a339747a/index.js#L448\n- https://github.com/micromatch/micromatch/commit/500d5d6f42f0e8dfa1cb5464c6cb420b1b6aaaa0\n- https://github.com/micromatch/micromatch/pull/266\n- https://github.com/micromatch/micromatch/commit/03aa8052171e878897eee5d7bb2ae0ae83ec2ade\n- https://advisory.checkmarx.net/advisory/CVE-2024-4067\n- https://github.com/micromatch/micromatch/releases/tag/4.0.8\n- https://github.com/advisories/GHSA-952p-6rrq-rcjv","created":"2024-05-14T18:30:54.000Z","reported_by":null,"title":"Regular Expression Denial of Service (ReDoS) in micromatch","npm_advisory_id":null,"overview":"The NPM package `micromatch` prior to version 4.0.8 is vulnerable to Regular Expression Denial of Service (ReDoS). The vulnerability occurs in `micromatch.braces()` in `index.js` because the pattern `.*` will greedily match anything. By passing a malicious payload, the pattern matching will keep backtracking to the input while it doesn't find the closing bracket. As the input size increases, the consumption time will also increase until it causes the application to hang or slow down. There was a merged fix but further testing shows the issue persisted prior to https://github.com/micromatch/micromatch/pull/266. This issue should be mitigated by using a safe pattern that won't start backtracking the regular expression due to greedy matching.\n","url":"https://github.com/advisories/GHSA-952p-6rrq-rcjv"}}} +{"type":"auditAdvisory","data":{"resolution":{"id":1098681,"path":"react-scripts>babel-jest>@jest/transform>micromatch","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"4.0.5","paths":["@testing-library/jest-dom>@types/testing-library__jest-dom>@types/jest>expect>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>tailwindcss>fast-glob>micromatch","react-scripts>react-dev-utils>globby>fast-glob>micromatch","eslint-plugin-jest>@typescript-eslint/experimental-utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/parser>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest-resolve>jest-haste-map>micromatch","react-scripts>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>@jest/reporters>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>jest-config>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>jest-snapshot>@jest/transform>jest-haste-map>micromatch"]},{"version":"4.0.5","paths":["react-scripts>babel-jest>@jest/transform>micromatch","react-scripts>jest>@jest/core>@jest/transform>micromatch","react-scripts>jest>@jest/core>@jest/reporters>@jest/transform>micromatch","react-scripts>jest>@jest/core>jest-config>babel-jest>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>babel-jest>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>jest-snapshot>@jest/transform>micromatch"]},{"version":"4.0.5","paths":["react-scripts>eslint-webpack-plugin>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>jest-message-util>micromatch","react-scripts>jest>@jest/core>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/reporters>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/reporters>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/globals>@jest/environment>@jest/fake-timers>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>jest-config>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>micromatch","react-scripts>jest>jest-cli>@jest/core>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest-watch-typeahead>jest-watcher>@jest/test-result>@jest/console>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>tailwindcss>micromatch"]},{"version":"4.0.5","paths":["http-proxy-middleware>micromatch","react-scripts>webpack-dev-server>http-proxy-middleware>micromatch"]},{"version":"4.0.7","paths":["micromatch"]}],"metadata":null,"vulnerable_versions":"<4.0.8","module_name":"micromatch","severity":"moderate","github_advisory_id":"GHSA-952p-6rrq-rcjv","cves":["CVE-2024-4067"],"access":"public","patched_versions":">=4.0.8","cvss":{"score":5.3,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},"updated":"2024-08-28T13:12:27.000Z","recommendation":"Upgrade to version 4.0.8 or later","cwe":["CWE-1333"],"found_by":null,"deleted":null,"id":1098681,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2024-4067\n- https://github.com/micromatch/micromatch/issues/243\n- https://github.com/micromatch/micromatch/pull/247\n- https://devhub.checkmarx.com/cve-details/CVE-2024-4067\n- https://github.com/micromatch/micromatch/blob/2c56a8604b68c1099e7bc0f807ce0865a339747a/index.js#L448\n- https://github.com/micromatch/micromatch/commit/500d5d6f42f0e8dfa1cb5464c6cb420b1b6aaaa0\n- https://github.com/micromatch/micromatch/pull/266\n- https://github.com/micromatch/micromatch/commit/03aa8052171e878897eee5d7bb2ae0ae83ec2ade\n- https://advisory.checkmarx.net/advisory/CVE-2024-4067\n- https://github.com/micromatch/micromatch/releases/tag/4.0.8\n- https://github.com/advisories/GHSA-952p-6rrq-rcjv","created":"2024-05-14T18:30:54.000Z","reported_by":null,"title":"Regular Expression Denial of Service (ReDoS) in micromatch","npm_advisory_id":null,"overview":"The NPM package `micromatch` prior to version 4.0.8 is vulnerable to Regular Expression Denial of Service (ReDoS). The vulnerability occurs in `micromatch.braces()` in `index.js` because the pattern `.*` will greedily match anything. By passing a malicious payload, the pattern matching will keep backtracking to the input while it doesn't find the closing bracket. As the input size increases, the consumption time will also increase until it causes the application to hang or slow down. There was a merged fix but further testing shows the issue persisted prior to https://github.com/micromatch/micromatch/pull/266. This issue should be mitigated by using a safe pattern that won't start backtracking the regular expression due to greedy matching.\n","url":"https://github.com/advisories/GHSA-952p-6rrq-rcjv"}}} +{"type":"auditAdvisory","data":{"resolution":{"id":1098681,"path":"react-scripts>jest>@jest/core>@jest/transform>micromatch","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"4.0.5","paths":["@testing-library/jest-dom>@types/testing-library__jest-dom>@types/jest>expect>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>tailwindcss>fast-glob>micromatch","react-scripts>react-dev-utils>globby>fast-glob>micromatch","eslint-plugin-jest>@typescript-eslint/experimental-utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/parser>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest-resolve>jest-haste-map>micromatch","react-scripts>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>@jest/reporters>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>jest-config>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>jest-snapshot>@jest/transform>jest-haste-map>micromatch"]},{"version":"4.0.5","paths":["react-scripts>babel-jest>@jest/transform>micromatch","react-scripts>jest>@jest/core>@jest/transform>micromatch","react-scripts>jest>@jest/core>@jest/reporters>@jest/transform>micromatch","react-scripts>jest>@jest/core>jest-config>babel-jest>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>babel-jest>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>jest-snapshot>@jest/transform>micromatch"]},{"version":"4.0.5","paths":["react-scripts>eslint-webpack-plugin>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>jest-message-util>micromatch","react-scripts>jest>@jest/core>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/reporters>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/reporters>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/globals>@jest/environment>@jest/fake-timers>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>jest-config>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>micromatch","react-scripts>jest>jest-cli>@jest/core>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest-watch-typeahead>jest-watcher>@jest/test-result>@jest/console>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>tailwindcss>micromatch"]},{"version":"4.0.5","paths":["http-proxy-middleware>micromatch","react-scripts>webpack-dev-server>http-proxy-middleware>micromatch"]},{"version":"4.0.7","paths":["micromatch"]}],"metadata":null,"vulnerable_versions":"<4.0.8","module_name":"micromatch","severity":"moderate","github_advisory_id":"GHSA-952p-6rrq-rcjv","cves":["CVE-2024-4067"],"access":"public","patched_versions":">=4.0.8","cvss":{"score":5.3,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},"updated":"2024-08-28T13:12:27.000Z","recommendation":"Upgrade to version 4.0.8 or later","cwe":["CWE-1333"],"found_by":null,"deleted":null,"id":1098681,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2024-4067\n- https://github.com/micromatch/micromatch/issues/243\n- https://github.com/micromatch/micromatch/pull/247\n- https://devhub.checkmarx.com/cve-details/CVE-2024-4067\n- https://github.com/micromatch/micromatch/blob/2c56a8604b68c1099e7bc0f807ce0865a339747a/index.js#L448\n- https://github.com/micromatch/micromatch/commit/500d5d6f42f0e8dfa1cb5464c6cb420b1b6aaaa0\n- https://github.com/micromatch/micromatch/pull/266\n- https://github.com/micromatch/micromatch/commit/03aa8052171e878897eee5d7bb2ae0ae83ec2ade\n- https://advisory.checkmarx.net/advisory/CVE-2024-4067\n- https://github.com/micromatch/micromatch/releases/tag/4.0.8\n- https://github.com/advisories/GHSA-952p-6rrq-rcjv","created":"2024-05-14T18:30:54.000Z","reported_by":null,"title":"Regular Expression Denial of Service (ReDoS) in micromatch","npm_advisory_id":null,"overview":"The NPM package `micromatch` prior to version 4.0.8 is vulnerable to Regular Expression Denial of Service (ReDoS). The vulnerability occurs in `micromatch.braces()` in `index.js` because the pattern `.*` will greedily match anything. By passing a malicious payload, the pattern matching will keep backtracking to the input while it doesn't find the closing bracket. As the input size increases, the consumption time will also increase until it causes the application to hang or slow down. There was a merged fix but further testing shows the issue persisted prior to https://github.com/micromatch/micromatch/pull/266. This issue should be mitigated by using a safe pattern that won't start backtracking the regular expression due to greedy matching.\n","url":"https://github.com/advisories/GHSA-952p-6rrq-rcjv"}}} +{"type":"auditAdvisory","data":{"resolution":{"id":1098681,"path":"react-scripts>jest>@jest/core>@jest/reporters>@jest/transform>micromatch","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"4.0.5","paths":["@testing-library/jest-dom>@types/testing-library__jest-dom>@types/jest>expect>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>tailwindcss>fast-glob>micromatch","react-scripts>react-dev-utils>globby>fast-glob>micromatch","eslint-plugin-jest>@typescript-eslint/experimental-utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/parser>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest-resolve>jest-haste-map>micromatch","react-scripts>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>@jest/reporters>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>jest-config>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>jest-snapshot>@jest/transform>jest-haste-map>micromatch"]},{"version":"4.0.5","paths":["react-scripts>babel-jest>@jest/transform>micromatch","react-scripts>jest>@jest/core>@jest/transform>micromatch","react-scripts>jest>@jest/core>@jest/reporters>@jest/transform>micromatch","react-scripts>jest>@jest/core>jest-config>babel-jest>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>babel-jest>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>jest-snapshot>@jest/transform>micromatch"]},{"version":"4.0.5","paths":["react-scripts>eslint-webpack-plugin>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>jest-message-util>micromatch","react-scripts>jest>@jest/core>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/reporters>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/reporters>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/globals>@jest/environment>@jest/fake-timers>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>jest-config>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>micromatch","react-scripts>jest>jest-cli>@jest/core>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest-watch-typeahead>jest-watcher>@jest/test-result>@jest/console>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>tailwindcss>micromatch"]},{"version":"4.0.5","paths":["http-proxy-middleware>micromatch","react-scripts>webpack-dev-server>http-proxy-middleware>micromatch"]},{"version":"4.0.7","paths":["micromatch"]}],"metadata":null,"vulnerable_versions":"<4.0.8","module_name":"micromatch","severity":"moderate","github_advisory_id":"GHSA-952p-6rrq-rcjv","cves":["CVE-2024-4067"],"access":"public","patched_versions":">=4.0.8","cvss":{"score":5.3,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},"updated":"2024-08-28T13:12:27.000Z","recommendation":"Upgrade to version 4.0.8 or later","cwe":["CWE-1333"],"found_by":null,"deleted":null,"id":1098681,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2024-4067\n- https://github.com/micromatch/micromatch/issues/243\n- https://github.com/micromatch/micromatch/pull/247\n- https://devhub.checkmarx.com/cve-details/CVE-2024-4067\n- https://github.com/micromatch/micromatch/blob/2c56a8604b68c1099e7bc0f807ce0865a339747a/index.js#L448\n- https://github.com/micromatch/micromatch/commit/500d5d6f42f0e8dfa1cb5464c6cb420b1b6aaaa0\n- https://github.com/micromatch/micromatch/pull/266\n- https://github.com/micromatch/micromatch/commit/03aa8052171e878897eee5d7bb2ae0ae83ec2ade\n- https://advisory.checkmarx.net/advisory/CVE-2024-4067\n- https://github.com/micromatch/micromatch/releases/tag/4.0.8\n- https://github.com/advisories/GHSA-952p-6rrq-rcjv","created":"2024-05-14T18:30:54.000Z","reported_by":null,"title":"Regular Expression Denial of Service (ReDoS) in micromatch","npm_advisory_id":null,"overview":"The NPM package `micromatch` prior to version 4.0.8 is vulnerable to Regular Expression Denial of Service (ReDoS). The vulnerability occurs in `micromatch.braces()` in `index.js` because the pattern `.*` will greedily match anything. By passing a malicious payload, the pattern matching will keep backtracking to the input while it doesn't find the closing bracket. As the input size increases, the consumption time will also increase until it causes the application to hang or slow down. There was a merged fix but further testing shows the issue persisted prior to https://github.com/micromatch/micromatch/pull/266. This issue should be mitigated by using a safe pattern that won't start backtracking the regular expression due to greedy matching.\n","url":"https://github.com/advisories/GHSA-952p-6rrq-rcjv"}}} +{"type":"auditAdvisory","data":{"resolution":{"id":1098681,"path":"react-scripts>jest>@jest/core>jest-config>babel-jest>@jest/transform>micromatch","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"4.0.5","paths":["@testing-library/jest-dom>@types/testing-library__jest-dom>@types/jest>expect>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>tailwindcss>fast-glob>micromatch","react-scripts>react-dev-utils>globby>fast-glob>micromatch","eslint-plugin-jest>@typescript-eslint/experimental-utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/parser>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest-resolve>jest-haste-map>micromatch","react-scripts>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>@jest/reporters>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>jest-config>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>jest-snapshot>@jest/transform>jest-haste-map>micromatch"]},{"version":"4.0.5","paths":["react-scripts>babel-jest>@jest/transform>micromatch","react-scripts>jest>@jest/core>@jest/transform>micromatch","react-scripts>jest>@jest/core>@jest/reporters>@jest/transform>micromatch","react-scripts>jest>@jest/core>jest-config>babel-jest>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>babel-jest>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>jest-snapshot>@jest/transform>micromatch"]},{"version":"4.0.5","paths":["react-scripts>eslint-webpack-plugin>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>jest-message-util>micromatch","react-scripts>jest>@jest/core>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/reporters>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/reporters>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/globals>@jest/environment>@jest/fake-timers>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>jest-config>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>micromatch","react-scripts>jest>jest-cli>@jest/core>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest-watch-typeahead>jest-watcher>@jest/test-result>@jest/console>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>tailwindcss>micromatch"]},{"version":"4.0.5","paths":["http-proxy-middleware>micromatch","react-scripts>webpack-dev-server>http-proxy-middleware>micromatch"]},{"version":"4.0.7","paths":["micromatch"]}],"metadata":null,"vulnerable_versions":"<4.0.8","module_name":"micromatch","severity":"moderate","github_advisory_id":"GHSA-952p-6rrq-rcjv","cves":["CVE-2024-4067"],"access":"public","patched_versions":">=4.0.8","cvss":{"score":5.3,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},"updated":"2024-08-28T13:12:27.000Z","recommendation":"Upgrade to version 4.0.8 or later","cwe":["CWE-1333"],"found_by":null,"deleted":null,"id":1098681,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2024-4067\n- https://github.com/micromatch/micromatch/issues/243\n- https://github.com/micromatch/micromatch/pull/247\n- https://devhub.checkmarx.com/cve-details/CVE-2024-4067\n- https://github.com/micromatch/micromatch/blob/2c56a8604b68c1099e7bc0f807ce0865a339747a/index.js#L448\n- https://github.com/micromatch/micromatch/commit/500d5d6f42f0e8dfa1cb5464c6cb420b1b6aaaa0\n- https://github.com/micromatch/micromatch/pull/266\n- https://github.com/micromatch/micromatch/commit/03aa8052171e878897eee5d7bb2ae0ae83ec2ade\n- https://advisory.checkmarx.net/advisory/CVE-2024-4067\n- https://github.com/micromatch/micromatch/releases/tag/4.0.8\n- https://github.com/advisories/GHSA-952p-6rrq-rcjv","created":"2024-05-14T18:30:54.000Z","reported_by":null,"title":"Regular Expression Denial of Service (ReDoS) in micromatch","npm_advisory_id":null,"overview":"The NPM package `micromatch` prior to version 4.0.8 is vulnerable to Regular Expression Denial of Service (ReDoS). The vulnerability occurs in `micromatch.braces()` in `index.js` because the pattern `.*` will greedily match anything. By passing a malicious payload, the pattern matching will keep backtracking to the input while it doesn't find the closing bracket. As the input size increases, the consumption time will also increase until it causes the application to hang or slow down. There was a merged fix but further testing shows the issue persisted prior to https://github.com/micromatch/micromatch/pull/266. This issue should be mitigated by using a safe pattern that won't start backtracking the regular expression due to greedy matching.\n","url":"https://github.com/advisories/GHSA-952p-6rrq-rcjv"}}} +{"type":"auditAdvisory","data":{"resolution":{"id":1098681,"path":"react-scripts>jest>jest-cli>@jest/core>jest-config>babel-jest>@jest/transform>micromatch","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"4.0.5","paths":["@testing-library/jest-dom>@types/testing-library__jest-dom>@types/jest>expect>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>tailwindcss>fast-glob>micromatch","react-scripts>react-dev-utils>globby>fast-glob>micromatch","eslint-plugin-jest>@typescript-eslint/experimental-utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/parser>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest-resolve>jest-haste-map>micromatch","react-scripts>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>@jest/reporters>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>jest-config>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>jest-snapshot>@jest/transform>jest-haste-map>micromatch"]},{"version":"4.0.5","paths":["react-scripts>babel-jest>@jest/transform>micromatch","react-scripts>jest>@jest/core>@jest/transform>micromatch","react-scripts>jest>@jest/core>@jest/reporters>@jest/transform>micromatch","react-scripts>jest>@jest/core>jest-config>babel-jest>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>babel-jest>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>jest-snapshot>@jest/transform>micromatch"]},{"version":"4.0.5","paths":["react-scripts>eslint-webpack-plugin>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>jest-message-util>micromatch","react-scripts>jest>@jest/core>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/reporters>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/reporters>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/globals>@jest/environment>@jest/fake-timers>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>jest-config>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>micromatch","react-scripts>jest>jest-cli>@jest/core>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest-watch-typeahead>jest-watcher>@jest/test-result>@jest/console>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>tailwindcss>micromatch"]},{"version":"4.0.5","paths":["http-proxy-middleware>micromatch","react-scripts>webpack-dev-server>http-proxy-middleware>micromatch"]},{"version":"4.0.7","paths":["micromatch"]}],"metadata":null,"vulnerable_versions":"<4.0.8","module_name":"micromatch","severity":"moderate","github_advisory_id":"GHSA-952p-6rrq-rcjv","cves":["CVE-2024-4067"],"access":"public","patched_versions":">=4.0.8","cvss":{"score":5.3,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},"updated":"2024-08-28T13:12:27.000Z","recommendation":"Upgrade to version 4.0.8 or later","cwe":["CWE-1333"],"found_by":null,"deleted":null,"id":1098681,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2024-4067\n- https://github.com/micromatch/micromatch/issues/243\n- https://github.com/micromatch/micromatch/pull/247\n- https://devhub.checkmarx.com/cve-details/CVE-2024-4067\n- https://github.com/micromatch/micromatch/blob/2c56a8604b68c1099e7bc0f807ce0865a339747a/index.js#L448\n- https://github.com/micromatch/micromatch/commit/500d5d6f42f0e8dfa1cb5464c6cb420b1b6aaaa0\n- https://github.com/micromatch/micromatch/pull/266\n- https://github.com/micromatch/micromatch/commit/03aa8052171e878897eee5d7bb2ae0ae83ec2ade\n- https://advisory.checkmarx.net/advisory/CVE-2024-4067\n- https://github.com/micromatch/micromatch/releases/tag/4.0.8\n- https://github.com/advisories/GHSA-952p-6rrq-rcjv","created":"2024-05-14T18:30:54.000Z","reported_by":null,"title":"Regular Expression Denial of Service (ReDoS) in micromatch","npm_advisory_id":null,"overview":"The NPM package `micromatch` prior to version 4.0.8 is vulnerable to Regular Expression Denial of Service (ReDoS). The vulnerability occurs in `micromatch.braces()` in `index.js` because the pattern `.*` will greedily match anything. By passing a malicious payload, the pattern matching will keep backtracking to the input while it doesn't find the closing bracket. As the input size increases, the consumption time will also increase until it causes the application to hang or slow down. There was a merged fix but further testing shows the issue persisted prior to https://github.com/micromatch/micromatch/pull/266. This issue should be mitigated by using a safe pattern that won't start backtracking the regular expression due to greedy matching.\n","url":"https://github.com/advisories/GHSA-952p-6rrq-rcjv"}}} +{"type":"auditAdvisory","data":{"resolution":{"id":1098681,"path":"react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/transform>micromatch","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"4.0.5","paths":["@testing-library/jest-dom>@types/testing-library__jest-dom>@types/jest>expect>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>tailwindcss>fast-glob>micromatch","react-scripts>react-dev-utils>globby>fast-glob>micromatch","eslint-plugin-jest>@typescript-eslint/experimental-utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/parser>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest-resolve>jest-haste-map>micromatch","react-scripts>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>@jest/reporters>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>jest-config>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>jest-snapshot>@jest/transform>jest-haste-map>micromatch"]},{"version":"4.0.5","paths":["react-scripts>babel-jest>@jest/transform>micromatch","react-scripts>jest>@jest/core>@jest/transform>micromatch","react-scripts>jest>@jest/core>@jest/reporters>@jest/transform>micromatch","react-scripts>jest>@jest/core>jest-config>babel-jest>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>babel-jest>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>jest-snapshot>@jest/transform>micromatch"]},{"version":"4.0.5","paths":["react-scripts>eslint-webpack-plugin>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>jest-message-util>micromatch","react-scripts>jest>@jest/core>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/reporters>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/reporters>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/globals>@jest/environment>@jest/fake-timers>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>jest-config>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>micromatch","react-scripts>jest>jest-cli>@jest/core>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest-watch-typeahead>jest-watcher>@jest/test-result>@jest/console>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>tailwindcss>micromatch"]},{"version":"4.0.5","paths":["http-proxy-middleware>micromatch","react-scripts>webpack-dev-server>http-proxy-middleware>micromatch"]},{"version":"4.0.7","paths":["micromatch"]}],"metadata":null,"vulnerable_versions":"<4.0.8","module_name":"micromatch","severity":"moderate","github_advisory_id":"GHSA-952p-6rrq-rcjv","cves":["CVE-2024-4067"],"access":"public","patched_versions":">=4.0.8","cvss":{"score":5.3,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},"updated":"2024-08-28T13:12:27.000Z","recommendation":"Upgrade to version 4.0.8 or later","cwe":["CWE-1333"],"found_by":null,"deleted":null,"id":1098681,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2024-4067\n- https://github.com/micromatch/micromatch/issues/243\n- https://github.com/micromatch/micromatch/pull/247\n- https://devhub.checkmarx.com/cve-details/CVE-2024-4067\n- https://github.com/micromatch/micromatch/blob/2c56a8604b68c1099e7bc0f807ce0865a339747a/index.js#L448\n- https://github.com/micromatch/micromatch/commit/500d5d6f42f0e8dfa1cb5464c6cb420b1b6aaaa0\n- https://github.com/micromatch/micromatch/pull/266\n- https://github.com/micromatch/micromatch/commit/03aa8052171e878897eee5d7bb2ae0ae83ec2ade\n- https://advisory.checkmarx.net/advisory/CVE-2024-4067\n- https://github.com/micromatch/micromatch/releases/tag/4.0.8\n- https://github.com/advisories/GHSA-952p-6rrq-rcjv","created":"2024-05-14T18:30:54.000Z","reported_by":null,"title":"Regular Expression Denial of Service (ReDoS) in micromatch","npm_advisory_id":null,"overview":"The NPM package `micromatch` prior to version 4.0.8 is vulnerable to Regular Expression Denial of Service (ReDoS). The vulnerability occurs in `micromatch.braces()` in `index.js` because the pattern `.*` will greedily match anything. By passing a malicious payload, the pattern matching will keep backtracking to the input while it doesn't find the closing bracket. As the input size increases, the consumption time will also increase until it causes the application to hang or slow down. There was a merged fix but further testing shows the issue persisted prior to https://github.com/micromatch/micromatch/pull/266. This issue should be mitigated by using a safe pattern that won't start backtracking the regular expression due to greedy matching.\n","url":"https://github.com/advisories/GHSA-952p-6rrq-rcjv"}}} +{"type":"auditAdvisory","data":{"resolution":{"id":1098681,"path":"react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>jest-snapshot>@jest/transform>micromatch","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"4.0.5","paths":["@testing-library/jest-dom>@types/testing-library__jest-dom>@types/jest>expect>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>tailwindcss>fast-glob>micromatch","react-scripts>react-dev-utils>globby>fast-glob>micromatch","eslint-plugin-jest>@typescript-eslint/experimental-utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/parser>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest-resolve>jest-haste-map>micromatch","react-scripts>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>@jest/reporters>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>jest-config>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>jest-snapshot>@jest/transform>jest-haste-map>micromatch"]},{"version":"4.0.5","paths":["react-scripts>babel-jest>@jest/transform>micromatch","react-scripts>jest>@jest/core>@jest/transform>micromatch","react-scripts>jest>@jest/core>@jest/reporters>@jest/transform>micromatch","react-scripts>jest>@jest/core>jest-config>babel-jest>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>babel-jest>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>jest-snapshot>@jest/transform>micromatch"]},{"version":"4.0.5","paths":["react-scripts>eslint-webpack-plugin>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>jest-message-util>micromatch","react-scripts>jest>@jest/core>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/reporters>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/reporters>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/globals>@jest/environment>@jest/fake-timers>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>jest-config>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>micromatch","react-scripts>jest>jest-cli>@jest/core>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest-watch-typeahead>jest-watcher>@jest/test-result>@jest/console>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>tailwindcss>micromatch"]},{"version":"4.0.5","paths":["http-proxy-middleware>micromatch","react-scripts>webpack-dev-server>http-proxy-middleware>micromatch"]},{"version":"4.0.7","paths":["micromatch"]}],"metadata":null,"vulnerable_versions":"<4.0.8","module_name":"micromatch","severity":"moderate","github_advisory_id":"GHSA-952p-6rrq-rcjv","cves":["CVE-2024-4067"],"access":"public","patched_versions":">=4.0.8","cvss":{"score":5.3,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},"updated":"2024-08-28T13:12:27.000Z","recommendation":"Upgrade to version 4.0.8 or later","cwe":["CWE-1333"],"found_by":null,"deleted":null,"id":1098681,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2024-4067\n- https://github.com/micromatch/micromatch/issues/243\n- https://github.com/micromatch/micromatch/pull/247\n- https://devhub.checkmarx.com/cve-details/CVE-2024-4067\n- https://github.com/micromatch/micromatch/blob/2c56a8604b68c1099e7bc0f807ce0865a339747a/index.js#L448\n- https://github.com/micromatch/micromatch/commit/500d5d6f42f0e8dfa1cb5464c6cb420b1b6aaaa0\n- https://github.com/micromatch/micromatch/pull/266\n- https://github.com/micromatch/micromatch/commit/03aa8052171e878897eee5d7bb2ae0ae83ec2ade\n- https://advisory.checkmarx.net/advisory/CVE-2024-4067\n- https://github.com/micromatch/micromatch/releases/tag/4.0.8\n- https://github.com/advisories/GHSA-952p-6rrq-rcjv","created":"2024-05-14T18:30:54.000Z","reported_by":null,"title":"Regular Expression Denial of Service (ReDoS) in micromatch","npm_advisory_id":null,"overview":"The NPM package `micromatch` prior to version 4.0.8 is vulnerable to Regular Expression Denial of Service (ReDoS). The vulnerability occurs in `micromatch.braces()` in `index.js` because the pattern `.*` will greedily match anything. By passing a malicious payload, the pattern matching will keep backtracking to the input while it doesn't find the closing bracket. As the input size increases, the consumption time will also increase until it causes the application to hang or slow down. There was a merged fix but further testing shows the issue persisted prior to https://github.com/micromatch/micromatch/pull/266. This issue should be mitigated by using a safe pattern that won't start backtracking the regular expression due to greedy matching.\n","url":"https://github.com/advisories/GHSA-952p-6rrq-rcjv"}}} +{"type":"auditAdvisory","data":{"resolution":{"id":1098681,"path":"react-scripts>eslint-webpack-plugin>micromatch","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"4.0.5","paths":["@testing-library/jest-dom>@types/testing-library__jest-dom>@types/jest>expect>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>tailwindcss>fast-glob>micromatch","react-scripts>react-dev-utils>globby>fast-glob>micromatch","eslint-plugin-jest>@typescript-eslint/experimental-utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/parser>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest-resolve>jest-haste-map>micromatch","react-scripts>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>@jest/reporters>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>jest-config>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>jest-snapshot>@jest/transform>jest-haste-map>micromatch"]},{"version":"4.0.5","paths":["react-scripts>babel-jest>@jest/transform>micromatch","react-scripts>jest>@jest/core>@jest/transform>micromatch","react-scripts>jest>@jest/core>@jest/reporters>@jest/transform>micromatch","react-scripts>jest>@jest/core>jest-config>babel-jest>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>babel-jest>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>jest-snapshot>@jest/transform>micromatch"]},{"version":"4.0.5","paths":["react-scripts>eslint-webpack-plugin>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>jest-message-util>micromatch","react-scripts>jest>@jest/core>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/reporters>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/reporters>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/globals>@jest/environment>@jest/fake-timers>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>jest-config>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>micromatch","react-scripts>jest>jest-cli>@jest/core>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest-watch-typeahead>jest-watcher>@jest/test-result>@jest/console>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>tailwindcss>micromatch"]},{"version":"4.0.5","paths":["http-proxy-middleware>micromatch","react-scripts>webpack-dev-server>http-proxy-middleware>micromatch"]},{"version":"4.0.7","paths":["micromatch"]}],"metadata":null,"vulnerable_versions":"<4.0.8","module_name":"micromatch","severity":"moderate","github_advisory_id":"GHSA-952p-6rrq-rcjv","cves":["CVE-2024-4067"],"access":"public","patched_versions":">=4.0.8","cvss":{"score":5.3,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},"updated":"2024-08-28T13:12:27.000Z","recommendation":"Upgrade to version 4.0.8 or later","cwe":["CWE-1333"],"found_by":null,"deleted":null,"id":1098681,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2024-4067\n- https://github.com/micromatch/micromatch/issues/243\n- https://github.com/micromatch/micromatch/pull/247\n- https://devhub.checkmarx.com/cve-details/CVE-2024-4067\n- https://github.com/micromatch/micromatch/blob/2c56a8604b68c1099e7bc0f807ce0865a339747a/index.js#L448\n- https://github.com/micromatch/micromatch/commit/500d5d6f42f0e8dfa1cb5464c6cb420b1b6aaaa0\n- https://github.com/micromatch/micromatch/pull/266\n- https://github.com/micromatch/micromatch/commit/03aa8052171e878897eee5d7bb2ae0ae83ec2ade\n- https://advisory.checkmarx.net/advisory/CVE-2024-4067\n- https://github.com/micromatch/micromatch/releases/tag/4.0.8\n- https://github.com/advisories/GHSA-952p-6rrq-rcjv","created":"2024-05-14T18:30:54.000Z","reported_by":null,"title":"Regular Expression Denial of Service (ReDoS) in micromatch","npm_advisory_id":null,"overview":"The NPM package `micromatch` prior to version 4.0.8 is vulnerable to Regular Expression Denial of Service (ReDoS). The vulnerability occurs in `micromatch.braces()` in `index.js` because the pattern `.*` will greedily match anything. By passing a malicious payload, the pattern matching will keep backtracking to the input while it doesn't find the closing bracket. As the input size increases, the consumption time will also increase until it causes the application to hang or slow down. There was a merged fix but further testing shows the issue persisted prior to https://github.com/micromatch/micromatch/pull/266. This issue should be mitigated by using a safe pattern that won't start backtracking the regular expression due to greedy matching.\n","url":"https://github.com/advisories/GHSA-952p-6rrq-rcjv"}}} +{"type":"auditAdvisory","data":{"resolution":{"id":1098681,"path":"react-scripts>jest>@jest/core>jest-message-util>micromatch","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"4.0.5","paths":["@testing-library/jest-dom>@types/testing-library__jest-dom>@types/jest>expect>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>tailwindcss>fast-glob>micromatch","react-scripts>react-dev-utils>globby>fast-glob>micromatch","eslint-plugin-jest>@typescript-eslint/experimental-utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/parser>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest-resolve>jest-haste-map>micromatch","react-scripts>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>@jest/reporters>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>jest-config>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>jest-snapshot>@jest/transform>jest-haste-map>micromatch"]},{"version":"4.0.5","paths":["react-scripts>babel-jest>@jest/transform>micromatch","react-scripts>jest>@jest/core>@jest/transform>micromatch","react-scripts>jest>@jest/core>@jest/reporters>@jest/transform>micromatch","react-scripts>jest>@jest/core>jest-config>babel-jest>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>babel-jest>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>jest-snapshot>@jest/transform>micromatch"]},{"version":"4.0.5","paths":["react-scripts>eslint-webpack-plugin>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>jest-message-util>micromatch","react-scripts>jest>@jest/core>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/reporters>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/reporters>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/globals>@jest/environment>@jest/fake-timers>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>jest-config>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>micromatch","react-scripts>jest>jest-cli>@jest/core>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest-watch-typeahead>jest-watcher>@jest/test-result>@jest/console>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>tailwindcss>micromatch"]},{"version":"4.0.5","paths":["http-proxy-middleware>micromatch","react-scripts>webpack-dev-server>http-proxy-middleware>micromatch"]},{"version":"4.0.7","paths":["micromatch"]}],"metadata":null,"vulnerable_versions":"<4.0.8","module_name":"micromatch","severity":"moderate","github_advisory_id":"GHSA-952p-6rrq-rcjv","cves":["CVE-2024-4067"],"access":"public","patched_versions":">=4.0.8","cvss":{"score":5.3,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},"updated":"2024-08-28T13:12:27.000Z","recommendation":"Upgrade to version 4.0.8 or later","cwe":["CWE-1333"],"found_by":null,"deleted":null,"id":1098681,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2024-4067\n- https://github.com/micromatch/micromatch/issues/243\n- https://github.com/micromatch/micromatch/pull/247\n- https://devhub.checkmarx.com/cve-details/CVE-2024-4067\n- https://github.com/micromatch/micromatch/blob/2c56a8604b68c1099e7bc0f807ce0865a339747a/index.js#L448\n- https://github.com/micromatch/micromatch/commit/500d5d6f42f0e8dfa1cb5464c6cb420b1b6aaaa0\n- https://github.com/micromatch/micromatch/pull/266\n- https://github.com/micromatch/micromatch/commit/03aa8052171e878897eee5d7bb2ae0ae83ec2ade\n- https://advisory.checkmarx.net/advisory/CVE-2024-4067\n- https://github.com/micromatch/micromatch/releases/tag/4.0.8\n- https://github.com/advisories/GHSA-952p-6rrq-rcjv","created":"2024-05-14T18:30:54.000Z","reported_by":null,"title":"Regular Expression Denial of Service (ReDoS) in micromatch","npm_advisory_id":null,"overview":"The NPM package `micromatch` prior to version 4.0.8 is vulnerable to Regular Expression Denial of Service (ReDoS). The vulnerability occurs in `micromatch.braces()` in `index.js` because the pattern `.*` will greedily match anything. By passing a malicious payload, the pattern matching will keep backtracking to the input while it doesn't find the closing bracket. As the input size increases, the consumption time will also increase until it causes the application to hang or slow down. There was a merged fix but further testing shows the issue persisted prior to https://github.com/micromatch/micromatch/pull/266. This issue should be mitigated by using a safe pattern that won't start backtracking the regular expression due to greedy matching.\n","url":"https://github.com/advisories/GHSA-952p-6rrq-rcjv"}}} +{"type":"auditAdvisory","data":{"resolution":{"id":1098681,"path":"react-scripts>jest>@jest/core>@jest/console>jest-message-util>micromatch","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"4.0.5","paths":["@testing-library/jest-dom>@types/testing-library__jest-dom>@types/jest>expect>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>tailwindcss>fast-glob>micromatch","react-scripts>react-dev-utils>globby>fast-glob>micromatch","eslint-plugin-jest>@typescript-eslint/experimental-utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/parser>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest-resolve>jest-haste-map>micromatch","react-scripts>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>@jest/reporters>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>jest-config>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>jest-snapshot>@jest/transform>jest-haste-map>micromatch"]},{"version":"4.0.5","paths":["react-scripts>babel-jest>@jest/transform>micromatch","react-scripts>jest>@jest/core>@jest/transform>micromatch","react-scripts>jest>@jest/core>@jest/reporters>@jest/transform>micromatch","react-scripts>jest>@jest/core>jest-config>babel-jest>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>babel-jest>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>jest-snapshot>@jest/transform>micromatch"]},{"version":"4.0.5","paths":["react-scripts>eslint-webpack-plugin>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>jest-message-util>micromatch","react-scripts>jest>@jest/core>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/reporters>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/reporters>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/globals>@jest/environment>@jest/fake-timers>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>jest-config>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>micromatch","react-scripts>jest>jest-cli>@jest/core>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest-watch-typeahead>jest-watcher>@jest/test-result>@jest/console>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>tailwindcss>micromatch"]},{"version":"4.0.5","paths":["http-proxy-middleware>micromatch","react-scripts>webpack-dev-server>http-proxy-middleware>micromatch"]},{"version":"4.0.7","paths":["micromatch"]}],"metadata":null,"vulnerable_versions":"<4.0.8","module_name":"micromatch","severity":"moderate","github_advisory_id":"GHSA-952p-6rrq-rcjv","cves":["CVE-2024-4067"],"access":"public","patched_versions":">=4.0.8","cvss":{"score":5.3,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},"updated":"2024-08-28T13:12:27.000Z","recommendation":"Upgrade to version 4.0.8 or later","cwe":["CWE-1333"],"found_by":null,"deleted":null,"id":1098681,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2024-4067\n- https://github.com/micromatch/micromatch/issues/243\n- https://github.com/micromatch/micromatch/pull/247\n- https://devhub.checkmarx.com/cve-details/CVE-2024-4067\n- https://github.com/micromatch/micromatch/blob/2c56a8604b68c1099e7bc0f807ce0865a339747a/index.js#L448\n- https://github.com/micromatch/micromatch/commit/500d5d6f42f0e8dfa1cb5464c6cb420b1b6aaaa0\n- https://github.com/micromatch/micromatch/pull/266\n- https://github.com/micromatch/micromatch/commit/03aa8052171e878897eee5d7bb2ae0ae83ec2ade\n- https://advisory.checkmarx.net/advisory/CVE-2024-4067\n- https://github.com/micromatch/micromatch/releases/tag/4.0.8\n- https://github.com/advisories/GHSA-952p-6rrq-rcjv","created":"2024-05-14T18:30:54.000Z","reported_by":null,"title":"Regular Expression Denial of Service (ReDoS) in micromatch","npm_advisory_id":null,"overview":"The NPM package `micromatch` prior to version 4.0.8 is vulnerable to Regular Expression Denial of Service (ReDoS). The vulnerability occurs in `micromatch.braces()` in `index.js` because the pattern `.*` will greedily match anything. By passing a malicious payload, the pattern matching will keep backtracking to the input while it doesn't find the closing bracket. As the input size increases, the consumption time will also increase until it causes the application to hang or slow down. There was a merged fix but further testing shows the issue persisted prior to https://github.com/micromatch/micromatch/pull/266. This issue should be mitigated by using a safe pattern that won't start backtracking the regular expression due to greedy matching.\n","url":"https://github.com/advisories/GHSA-952p-6rrq-rcjv"}}} +{"type":"auditAdvisory","data":{"resolution":{"id":1098681,"path":"react-scripts>jest>jest-cli>@jest/core>@jest/console>jest-message-util>micromatch","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"4.0.5","paths":["@testing-library/jest-dom>@types/testing-library__jest-dom>@types/jest>expect>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>tailwindcss>fast-glob>micromatch","react-scripts>react-dev-utils>globby>fast-glob>micromatch","eslint-plugin-jest>@typescript-eslint/experimental-utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/parser>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest-resolve>jest-haste-map>micromatch","react-scripts>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>@jest/reporters>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>jest-config>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>jest-snapshot>@jest/transform>jest-haste-map>micromatch"]},{"version":"4.0.5","paths":["react-scripts>babel-jest>@jest/transform>micromatch","react-scripts>jest>@jest/core>@jest/transform>micromatch","react-scripts>jest>@jest/core>@jest/reporters>@jest/transform>micromatch","react-scripts>jest>@jest/core>jest-config>babel-jest>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>babel-jest>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>jest-snapshot>@jest/transform>micromatch"]},{"version":"4.0.5","paths":["react-scripts>eslint-webpack-plugin>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>jest-message-util>micromatch","react-scripts>jest>@jest/core>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/reporters>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/reporters>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/globals>@jest/environment>@jest/fake-timers>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>jest-config>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>micromatch","react-scripts>jest>jest-cli>@jest/core>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest-watch-typeahead>jest-watcher>@jest/test-result>@jest/console>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>tailwindcss>micromatch"]},{"version":"4.0.5","paths":["http-proxy-middleware>micromatch","react-scripts>webpack-dev-server>http-proxy-middleware>micromatch"]},{"version":"4.0.7","paths":["micromatch"]}],"metadata":null,"vulnerable_versions":"<4.0.8","module_name":"micromatch","severity":"moderate","github_advisory_id":"GHSA-952p-6rrq-rcjv","cves":["CVE-2024-4067"],"access":"public","patched_versions":">=4.0.8","cvss":{"score":5.3,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},"updated":"2024-08-28T13:12:27.000Z","recommendation":"Upgrade to version 4.0.8 or later","cwe":["CWE-1333"],"found_by":null,"deleted":null,"id":1098681,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2024-4067\n- https://github.com/micromatch/micromatch/issues/243\n- https://github.com/micromatch/micromatch/pull/247\n- https://devhub.checkmarx.com/cve-details/CVE-2024-4067\n- https://github.com/micromatch/micromatch/blob/2c56a8604b68c1099e7bc0f807ce0865a339747a/index.js#L448\n- https://github.com/micromatch/micromatch/commit/500d5d6f42f0e8dfa1cb5464c6cb420b1b6aaaa0\n- https://github.com/micromatch/micromatch/pull/266\n- https://github.com/micromatch/micromatch/commit/03aa8052171e878897eee5d7bb2ae0ae83ec2ade\n- https://advisory.checkmarx.net/advisory/CVE-2024-4067\n- https://github.com/micromatch/micromatch/releases/tag/4.0.8\n- https://github.com/advisories/GHSA-952p-6rrq-rcjv","created":"2024-05-14T18:30:54.000Z","reported_by":null,"title":"Regular Expression Denial of Service (ReDoS) in micromatch","npm_advisory_id":null,"overview":"The NPM package `micromatch` prior to version 4.0.8 is vulnerable to Regular Expression Denial of Service (ReDoS). The vulnerability occurs in `micromatch.braces()` in `index.js` because the pattern `.*` will greedily match anything. By passing a malicious payload, the pattern matching will keep backtracking to the input while it doesn't find the closing bracket. As the input size increases, the consumption time will also increase until it causes the application to hang or slow down. There was a merged fix but further testing shows the issue persisted prior to https://github.com/micromatch/micromatch/pull/266. This issue should be mitigated by using a safe pattern that won't start backtracking the regular expression due to greedy matching.\n","url":"https://github.com/advisories/GHSA-952p-6rrq-rcjv"}}} +{"type":"auditAdvisory","data":{"resolution":{"id":1098681,"path":"react-scripts>jest>jest-cli>@jest/core>@jest/reporters>@jest/console>jest-message-util>micromatch","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"4.0.5","paths":["@testing-library/jest-dom>@types/testing-library__jest-dom>@types/jest>expect>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>tailwindcss>fast-glob>micromatch","react-scripts>react-dev-utils>globby>fast-glob>micromatch","eslint-plugin-jest>@typescript-eslint/experimental-utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/parser>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest-resolve>jest-haste-map>micromatch","react-scripts>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>@jest/reporters>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>jest-config>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>jest-snapshot>@jest/transform>jest-haste-map>micromatch"]},{"version":"4.0.5","paths":["react-scripts>babel-jest>@jest/transform>micromatch","react-scripts>jest>@jest/core>@jest/transform>micromatch","react-scripts>jest>@jest/core>@jest/reporters>@jest/transform>micromatch","react-scripts>jest>@jest/core>jest-config>babel-jest>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>babel-jest>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>jest-snapshot>@jest/transform>micromatch"]},{"version":"4.0.5","paths":["react-scripts>eslint-webpack-plugin>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>jest-message-util>micromatch","react-scripts>jest>@jest/core>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/reporters>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/reporters>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/globals>@jest/environment>@jest/fake-timers>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>jest-config>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>micromatch","react-scripts>jest>jest-cli>@jest/core>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest-watch-typeahead>jest-watcher>@jest/test-result>@jest/console>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>tailwindcss>micromatch"]},{"version":"4.0.5","paths":["http-proxy-middleware>micromatch","react-scripts>webpack-dev-server>http-proxy-middleware>micromatch"]},{"version":"4.0.7","paths":["micromatch"]}],"metadata":null,"vulnerable_versions":"<4.0.8","module_name":"micromatch","severity":"moderate","github_advisory_id":"GHSA-952p-6rrq-rcjv","cves":["CVE-2024-4067"],"access":"public","patched_versions":">=4.0.8","cvss":{"score":5.3,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},"updated":"2024-08-28T13:12:27.000Z","recommendation":"Upgrade to version 4.0.8 or later","cwe":["CWE-1333"],"found_by":null,"deleted":null,"id":1098681,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2024-4067\n- https://github.com/micromatch/micromatch/issues/243\n- https://github.com/micromatch/micromatch/pull/247\n- https://devhub.checkmarx.com/cve-details/CVE-2024-4067\n- https://github.com/micromatch/micromatch/blob/2c56a8604b68c1099e7bc0f807ce0865a339747a/index.js#L448\n- https://github.com/micromatch/micromatch/commit/500d5d6f42f0e8dfa1cb5464c6cb420b1b6aaaa0\n- https://github.com/micromatch/micromatch/pull/266\n- https://github.com/micromatch/micromatch/commit/03aa8052171e878897eee5d7bb2ae0ae83ec2ade\n- https://advisory.checkmarx.net/advisory/CVE-2024-4067\n- https://github.com/micromatch/micromatch/releases/tag/4.0.8\n- https://github.com/advisories/GHSA-952p-6rrq-rcjv","created":"2024-05-14T18:30:54.000Z","reported_by":null,"title":"Regular Expression Denial of Service (ReDoS) in micromatch","npm_advisory_id":null,"overview":"The NPM package `micromatch` prior to version 4.0.8 is vulnerable to Regular Expression Denial of Service (ReDoS). The vulnerability occurs in `micromatch.braces()` in `index.js` because the pattern `.*` will greedily match anything. By passing a malicious payload, the pattern matching will keep backtracking to the input while it doesn't find the closing bracket. As the input size increases, the consumption time will also increase until it causes the application to hang or slow down. There was a merged fix but further testing shows the issue persisted prior to https://github.com/micromatch/micromatch/pull/266. This issue should be mitigated by using a safe pattern that won't start backtracking the regular expression due to greedy matching.\n","url":"https://github.com/advisories/GHSA-952p-6rrq-rcjv"}}} +{"type":"auditAdvisory","data":{"resolution":{"id":1098681,"path":"react-scripts>jest>jest-cli>@jest/core>@jest/reporters>@jest/test-result>@jest/console>jest-message-util>micromatch","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"4.0.5","paths":["@testing-library/jest-dom>@types/testing-library__jest-dom>@types/jest>expect>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>tailwindcss>fast-glob>micromatch","react-scripts>react-dev-utils>globby>fast-glob>micromatch","eslint-plugin-jest>@typescript-eslint/experimental-utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/parser>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest-resolve>jest-haste-map>micromatch","react-scripts>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>@jest/reporters>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>jest-config>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>jest-snapshot>@jest/transform>jest-haste-map>micromatch"]},{"version":"4.0.5","paths":["react-scripts>babel-jest>@jest/transform>micromatch","react-scripts>jest>@jest/core>@jest/transform>micromatch","react-scripts>jest>@jest/core>@jest/reporters>@jest/transform>micromatch","react-scripts>jest>@jest/core>jest-config>babel-jest>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>babel-jest>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>jest-snapshot>@jest/transform>micromatch"]},{"version":"4.0.5","paths":["react-scripts>eslint-webpack-plugin>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>jest-message-util>micromatch","react-scripts>jest>@jest/core>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/reporters>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/reporters>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/globals>@jest/environment>@jest/fake-timers>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>jest-config>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>micromatch","react-scripts>jest>jest-cli>@jest/core>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest-watch-typeahead>jest-watcher>@jest/test-result>@jest/console>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>tailwindcss>micromatch"]},{"version":"4.0.5","paths":["http-proxy-middleware>micromatch","react-scripts>webpack-dev-server>http-proxy-middleware>micromatch"]},{"version":"4.0.7","paths":["micromatch"]}],"metadata":null,"vulnerable_versions":"<4.0.8","module_name":"micromatch","severity":"moderate","github_advisory_id":"GHSA-952p-6rrq-rcjv","cves":["CVE-2024-4067"],"access":"public","patched_versions":">=4.0.8","cvss":{"score":5.3,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},"updated":"2024-08-28T13:12:27.000Z","recommendation":"Upgrade to version 4.0.8 or later","cwe":["CWE-1333"],"found_by":null,"deleted":null,"id":1098681,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2024-4067\n- https://github.com/micromatch/micromatch/issues/243\n- https://github.com/micromatch/micromatch/pull/247\n- https://devhub.checkmarx.com/cve-details/CVE-2024-4067\n- https://github.com/micromatch/micromatch/blob/2c56a8604b68c1099e7bc0f807ce0865a339747a/index.js#L448\n- https://github.com/micromatch/micromatch/commit/500d5d6f42f0e8dfa1cb5464c6cb420b1b6aaaa0\n- https://github.com/micromatch/micromatch/pull/266\n- https://github.com/micromatch/micromatch/commit/03aa8052171e878897eee5d7bb2ae0ae83ec2ade\n- https://advisory.checkmarx.net/advisory/CVE-2024-4067\n- https://github.com/micromatch/micromatch/releases/tag/4.0.8\n- https://github.com/advisories/GHSA-952p-6rrq-rcjv","created":"2024-05-14T18:30:54.000Z","reported_by":null,"title":"Regular Expression Denial of Service (ReDoS) in micromatch","npm_advisory_id":null,"overview":"The NPM package `micromatch` prior to version 4.0.8 is vulnerable to Regular Expression Denial of Service (ReDoS). The vulnerability occurs in `micromatch.braces()` in `index.js` because the pattern `.*` will greedily match anything. By passing a malicious payload, the pattern matching will keep backtracking to the input while it doesn't find the closing bracket. As the input size increases, the consumption time will also increase until it causes the application to hang or slow down. There was a merged fix but further testing shows the issue persisted prior to https://github.com/micromatch/micromatch/pull/266. This issue should be mitigated by using a safe pattern that won't start backtracking the regular expression due to greedy matching.\n","url":"https://github.com/advisories/GHSA-952p-6rrq-rcjv"}}} +{"type":"auditAdvisory","data":{"resolution":{"id":1098681,"path":"react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>@jest/test-result>@jest/console>jest-message-util>micromatch","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"4.0.5","paths":["@testing-library/jest-dom>@types/testing-library__jest-dom>@types/jest>expect>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>tailwindcss>fast-glob>micromatch","react-scripts>react-dev-utils>globby>fast-glob>micromatch","eslint-plugin-jest>@typescript-eslint/experimental-utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/parser>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest-resolve>jest-haste-map>micromatch","react-scripts>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>@jest/reporters>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>jest-config>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>jest-snapshot>@jest/transform>jest-haste-map>micromatch"]},{"version":"4.0.5","paths":["react-scripts>babel-jest>@jest/transform>micromatch","react-scripts>jest>@jest/core>@jest/transform>micromatch","react-scripts>jest>@jest/core>@jest/reporters>@jest/transform>micromatch","react-scripts>jest>@jest/core>jest-config>babel-jest>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>babel-jest>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>jest-snapshot>@jest/transform>micromatch"]},{"version":"4.0.5","paths":["react-scripts>eslint-webpack-plugin>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>jest-message-util>micromatch","react-scripts>jest>@jest/core>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/reporters>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/reporters>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/globals>@jest/environment>@jest/fake-timers>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>jest-config>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>micromatch","react-scripts>jest>jest-cli>@jest/core>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest-watch-typeahead>jest-watcher>@jest/test-result>@jest/console>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>tailwindcss>micromatch"]},{"version":"4.0.5","paths":["http-proxy-middleware>micromatch","react-scripts>webpack-dev-server>http-proxy-middleware>micromatch"]},{"version":"4.0.7","paths":["micromatch"]}],"metadata":null,"vulnerable_versions":"<4.0.8","module_name":"micromatch","severity":"moderate","github_advisory_id":"GHSA-952p-6rrq-rcjv","cves":["CVE-2024-4067"],"access":"public","patched_versions":">=4.0.8","cvss":{"score":5.3,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},"updated":"2024-08-28T13:12:27.000Z","recommendation":"Upgrade to version 4.0.8 or later","cwe":["CWE-1333"],"found_by":null,"deleted":null,"id":1098681,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2024-4067\n- https://github.com/micromatch/micromatch/issues/243\n- https://github.com/micromatch/micromatch/pull/247\n- https://devhub.checkmarx.com/cve-details/CVE-2024-4067\n- https://github.com/micromatch/micromatch/blob/2c56a8604b68c1099e7bc0f807ce0865a339747a/index.js#L448\n- https://github.com/micromatch/micromatch/commit/500d5d6f42f0e8dfa1cb5464c6cb420b1b6aaaa0\n- https://github.com/micromatch/micromatch/pull/266\n- https://github.com/micromatch/micromatch/commit/03aa8052171e878897eee5d7bb2ae0ae83ec2ade\n- https://advisory.checkmarx.net/advisory/CVE-2024-4067\n- https://github.com/micromatch/micromatch/releases/tag/4.0.8\n- https://github.com/advisories/GHSA-952p-6rrq-rcjv","created":"2024-05-14T18:30:54.000Z","reported_by":null,"title":"Regular Expression Denial of Service (ReDoS) in micromatch","npm_advisory_id":null,"overview":"The NPM package `micromatch` prior to version 4.0.8 is vulnerable to Regular Expression Denial of Service (ReDoS). The vulnerability occurs in `micromatch.braces()` in `index.js` because the pattern `.*` will greedily match anything. By passing a malicious payload, the pattern matching will keep backtracking to the input while it doesn't find the closing bracket. As the input size increases, the consumption time will also increase until it causes the application to hang or slow down. There was a merged fix but further testing shows the issue persisted prior to https://github.com/micromatch/micromatch/pull/266. This issue should be mitigated by using a safe pattern that won't start backtracking the regular expression due to greedy matching.\n","url":"https://github.com/advisories/GHSA-952p-6rrq-rcjv"}}} +{"type":"auditAdvisory","data":{"resolution":{"id":1098681,"path":"react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/test-result>@jest/console>jest-message-util>micromatch","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"4.0.5","paths":["@testing-library/jest-dom>@types/testing-library__jest-dom>@types/jest>expect>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>tailwindcss>fast-glob>micromatch","react-scripts>react-dev-utils>globby>fast-glob>micromatch","eslint-plugin-jest>@typescript-eslint/experimental-utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/parser>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest-resolve>jest-haste-map>micromatch","react-scripts>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>@jest/reporters>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>jest-config>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>jest-snapshot>@jest/transform>jest-haste-map>micromatch"]},{"version":"4.0.5","paths":["react-scripts>babel-jest>@jest/transform>micromatch","react-scripts>jest>@jest/core>@jest/transform>micromatch","react-scripts>jest>@jest/core>@jest/reporters>@jest/transform>micromatch","react-scripts>jest>@jest/core>jest-config>babel-jest>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>babel-jest>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>jest-snapshot>@jest/transform>micromatch"]},{"version":"4.0.5","paths":["react-scripts>eslint-webpack-plugin>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>jest-message-util>micromatch","react-scripts>jest>@jest/core>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/reporters>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/reporters>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/globals>@jest/environment>@jest/fake-timers>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>jest-config>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>micromatch","react-scripts>jest>jest-cli>@jest/core>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest-watch-typeahead>jest-watcher>@jest/test-result>@jest/console>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>tailwindcss>micromatch"]},{"version":"4.0.5","paths":["http-proxy-middleware>micromatch","react-scripts>webpack-dev-server>http-proxy-middleware>micromatch"]},{"version":"4.0.7","paths":["micromatch"]}],"metadata":null,"vulnerable_versions":"<4.0.8","module_name":"micromatch","severity":"moderate","github_advisory_id":"GHSA-952p-6rrq-rcjv","cves":["CVE-2024-4067"],"access":"public","patched_versions":">=4.0.8","cvss":{"score":5.3,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},"updated":"2024-08-28T13:12:27.000Z","recommendation":"Upgrade to version 4.0.8 or later","cwe":["CWE-1333"],"found_by":null,"deleted":null,"id":1098681,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2024-4067\n- https://github.com/micromatch/micromatch/issues/243\n- https://github.com/micromatch/micromatch/pull/247\n- https://devhub.checkmarx.com/cve-details/CVE-2024-4067\n- https://github.com/micromatch/micromatch/blob/2c56a8604b68c1099e7bc0f807ce0865a339747a/index.js#L448\n- https://github.com/micromatch/micromatch/commit/500d5d6f42f0e8dfa1cb5464c6cb420b1b6aaaa0\n- https://github.com/micromatch/micromatch/pull/266\n- https://github.com/micromatch/micromatch/commit/03aa8052171e878897eee5d7bb2ae0ae83ec2ade\n- https://advisory.checkmarx.net/advisory/CVE-2024-4067\n- https://github.com/micromatch/micromatch/releases/tag/4.0.8\n- https://github.com/advisories/GHSA-952p-6rrq-rcjv","created":"2024-05-14T18:30:54.000Z","reported_by":null,"title":"Regular Expression Denial of Service (ReDoS) in micromatch","npm_advisory_id":null,"overview":"The NPM package `micromatch` prior to version 4.0.8 is vulnerable to Regular Expression Denial of Service (ReDoS). The vulnerability occurs in `micromatch.braces()` in `index.js` because the pattern `.*` will greedily match anything. By passing a malicious payload, the pattern matching will keep backtracking to the input while it doesn't find the closing bracket. As the input size increases, the consumption time will also increase until it causes the application to hang or slow down. There was a merged fix but further testing shows the issue persisted prior to https://github.com/micromatch/micromatch/pull/266. This issue should be mitigated by using a safe pattern that won't start backtracking the regular expression due to greedy matching.\n","url":"https://github.com/advisories/GHSA-952p-6rrq-rcjv"}}} +{"type":"auditAdvisory","data":{"resolution":{"id":1098681,"path":"react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/globals>@jest/environment>@jest/fake-timers>jest-message-util>micromatch","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"4.0.5","paths":["@testing-library/jest-dom>@types/testing-library__jest-dom>@types/jest>expect>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>tailwindcss>fast-glob>micromatch","react-scripts>react-dev-utils>globby>fast-glob>micromatch","eslint-plugin-jest>@typescript-eslint/experimental-utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/parser>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest-resolve>jest-haste-map>micromatch","react-scripts>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>@jest/reporters>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>jest-config>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>jest-snapshot>@jest/transform>jest-haste-map>micromatch"]},{"version":"4.0.5","paths":["react-scripts>babel-jest>@jest/transform>micromatch","react-scripts>jest>@jest/core>@jest/transform>micromatch","react-scripts>jest>@jest/core>@jest/reporters>@jest/transform>micromatch","react-scripts>jest>@jest/core>jest-config>babel-jest>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>babel-jest>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>jest-snapshot>@jest/transform>micromatch"]},{"version":"4.0.5","paths":["react-scripts>eslint-webpack-plugin>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>jest-message-util>micromatch","react-scripts>jest>@jest/core>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/reporters>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/reporters>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/globals>@jest/environment>@jest/fake-timers>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>jest-config>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>micromatch","react-scripts>jest>jest-cli>@jest/core>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest-watch-typeahead>jest-watcher>@jest/test-result>@jest/console>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>tailwindcss>micromatch"]},{"version":"4.0.5","paths":["http-proxy-middleware>micromatch","react-scripts>webpack-dev-server>http-proxy-middleware>micromatch"]},{"version":"4.0.7","paths":["micromatch"]}],"metadata":null,"vulnerable_versions":"<4.0.8","module_name":"micromatch","severity":"moderate","github_advisory_id":"GHSA-952p-6rrq-rcjv","cves":["CVE-2024-4067"],"access":"public","patched_versions":">=4.0.8","cvss":{"score":5.3,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},"updated":"2024-08-28T13:12:27.000Z","recommendation":"Upgrade to version 4.0.8 or later","cwe":["CWE-1333"],"found_by":null,"deleted":null,"id":1098681,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2024-4067\n- https://github.com/micromatch/micromatch/issues/243\n- https://github.com/micromatch/micromatch/pull/247\n- https://devhub.checkmarx.com/cve-details/CVE-2024-4067\n- https://github.com/micromatch/micromatch/blob/2c56a8604b68c1099e7bc0f807ce0865a339747a/index.js#L448\n- https://github.com/micromatch/micromatch/commit/500d5d6f42f0e8dfa1cb5464c6cb420b1b6aaaa0\n- https://github.com/micromatch/micromatch/pull/266\n- https://github.com/micromatch/micromatch/commit/03aa8052171e878897eee5d7bb2ae0ae83ec2ade\n- https://advisory.checkmarx.net/advisory/CVE-2024-4067\n- https://github.com/micromatch/micromatch/releases/tag/4.0.8\n- https://github.com/advisories/GHSA-952p-6rrq-rcjv","created":"2024-05-14T18:30:54.000Z","reported_by":null,"title":"Regular Expression Denial of Service (ReDoS) in micromatch","npm_advisory_id":null,"overview":"The NPM package `micromatch` prior to version 4.0.8 is vulnerable to Regular Expression Denial of Service (ReDoS). The vulnerability occurs in `micromatch.braces()` in `index.js` because the pattern `.*` will greedily match anything. By passing a malicious payload, the pattern matching will keep backtracking to the input while it doesn't find the closing bracket. As the input size increases, the consumption time will also increase until it causes the application to hang or slow down. There was a merged fix but further testing shows the issue persisted prior to https://github.com/micromatch/micromatch/pull/266. This issue should be mitigated by using a safe pattern that won't start backtracking the regular expression due to greedy matching.\n","url":"https://github.com/advisories/GHSA-952p-6rrq-rcjv"}}} +{"type":"auditAdvisory","data":{"resolution":{"id":1098681,"path":"react-scripts>jest>@jest/core>jest-config>micromatch","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"4.0.5","paths":["@testing-library/jest-dom>@types/testing-library__jest-dom>@types/jest>expect>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>tailwindcss>fast-glob>micromatch","react-scripts>react-dev-utils>globby>fast-glob>micromatch","eslint-plugin-jest>@typescript-eslint/experimental-utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/parser>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest-resolve>jest-haste-map>micromatch","react-scripts>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>@jest/reporters>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>jest-config>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>jest-snapshot>@jest/transform>jest-haste-map>micromatch"]},{"version":"4.0.5","paths":["react-scripts>babel-jest>@jest/transform>micromatch","react-scripts>jest>@jest/core>@jest/transform>micromatch","react-scripts>jest>@jest/core>@jest/reporters>@jest/transform>micromatch","react-scripts>jest>@jest/core>jest-config>babel-jest>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>babel-jest>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>jest-snapshot>@jest/transform>micromatch"]},{"version":"4.0.5","paths":["react-scripts>eslint-webpack-plugin>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>jest-message-util>micromatch","react-scripts>jest>@jest/core>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/reporters>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/reporters>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/globals>@jest/environment>@jest/fake-timers>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>jest-config>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>micromatch","react-scripts>jest>jest-cli>@jest/core>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest-watch-typeahead>jest-watcher>@jest/test-result>@jest/console>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>tailwindcss>micromatch"]},{"version":"4.0.5","paths":["http-proxy-middleware>micromatch","react-scripts>webpack-dev-server>http-proxy-middleware>micromatch"]},{"version":"4.0.7","paths":["micromatch"]}],"metadata":null,"vulnerable_versions":"<4.0.8","module_name":"micromatch","severity":"moderate","github_advisory_id":"GHSA-952p-6rrq-rcjv","cves":["CVE-2024-4067"],"access":"public","patched_versions":">=4.0.8","cvss":{"score":5.3,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},"updated":"2024-08-28T13:12:27.000Z","recommendation":"Upgrade to version 4.0.8 or later","cwe":["CWE-1333"],"found_by":null,"deleted":null,"id":1098681,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2024-4067\n- https://github.com/micromatch/micromatch/issues/243\n- https://github.com/micromatch/micromatch/pull/247\n- https://devhub.checkmarx.com/cve-details/CVE-2024-4067\n- https://github.com/micromatch/micromatch/blob/2c56a8604b68c1099e7bc0f807ce0865a339747a/index.js#L448\n- https://github.com/micromatch/micromatch/commit/500d5d6f42f0e8dfa1cb5464c6cb420b1b6aaaa0\n- https://github.com/micromatch/micromatch/pull/266\n- https://github.com/micromatch/micromatch/commit/03aa8052171e878897eee5d7bb2ae0ae83ec2ade\n- https://advisory.checkmarx.net/advisory/CVE-2024-4067\n- https://github.com/micromatch/micromatch/releases/tag/4.0.8\n- https://github.com/advisories/GHSA-952p-6rrq-rcjv","created":"2024-05-14T18:30:54.000Z","reported_by":null,"title":"Regular Expression Denial of Service (ReDoS) in micromatch","npm_advisory_id":null,"overview":"The NPM package `micromatch` prior to version 4.0.8 is vulnerable to Regular Expression Denial of Service (ReDoS). The vulnerability occurs in `micromatch.braces()` in `index.js` because the pattern `.*` will greedily match anything. By passing a malicious payload, the pattern matching will keep backtracking to the input while it doesn't find the closing bracket. As the input size increases, the consumption time will also increase until it causes the application to hang or slow down. There was a merged fix but further testing shows the issue persisted prior to https://github.com/micromatch/micromatch/pull/266. This issue should be mitigated by using a safe pattern that won't start backtracking the regular expression due to greedy matching.\n","url":"https://github.com/advisories/GHSA-952p-6rrq-rcjv"}}} +{"type":"auditAdvisory","data":{"resolution":{"id":1098681,"path":"react-scripts>jest>jest-cli>@jest/core>jest-config>micromatch","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"4.0.5","paths":["@testing-library/jest-dom>@types/testing-library__jest-dom>@types/jest>expect>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>tailwindcss>fast-glob>micromatch","react-scripts>react-dev-utils>globby>fast-glob>micromatch","eslint-plugin-jest>@typescript-eslint/experimental-utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/parser>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest-resolve>jest-haste-map>micromatch","react-scripts>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>@jest/reporters>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>jest-config>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>jest-snapshot>@jest/transform>jest-haste-map>micromatch"]},{"version":"4.0.5","paths":["react-scripts>babel-jest>@jest/transform>micromatch","react-scripts>jest>@jest/core>@jest/transform>micromatch","react-scripts>jest>@jest/core>@jest/reporters>@jest/transform>micromatch","react-scripts>jest>@jest/core>jest-config>babel-jest>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>babel-jest>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>jest-snapshot>@jest/transform>micromatch"]},{"version":"4.0.5","paths":["react-scripts>eslint-webpack-plugin>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>jest-message-util>micromatch","react-scripts>jest>@jest/core>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/reporters>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/reporters>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/globals>@jest/environment>@jest/fake-timers>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>jest-config>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>micromatch","react-scripts>jest>jest-cli>@jest/core>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest-watch-typeahead>jest-watcher>@jest/test-result>@jest/console>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>tailwindcss>micromatch"]},{"version":"4.0.5","paths":["http-proxy-middleware>micromatch","react-scripts>webpack-dev-server>http-proxy-middleware>micromatch"]},{"version":"4.0.7","paths":["micromatch"]}],"metadata":null,"vulnerable_versions":"<4.0.8","module_name":"micromatch","severity":"moderate","github_advisory_id":"GHSA-952p-6rrq-rcjv","cves":["CVE-2024-4067"],"access":"public","patched_versions":">=4.0.8","cvss":{"score":5.3,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},"updated":"2024-08-28T13:12:27.000Z","recommendation":"Upgrade to version 4.0.8 or later","cwe":["CWE-1333"],"found_by":null,"deleted":null,"id":1098681,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2024-4067\n- https://github.com/micromatch/micromatch/issues/243\n- https://github.com/micromatch/micromatch/pull/247\n- https://devhub.checkmarx.com/cve-details/CVE-2024-4067\n- https://github.com/micromatch/micromatch/blob/2c56a8604b68c1099e7bc0f807ce0865a339747a/index.js#L448\n- https://github.com/micromatch/micromatch/commit/500d5d6f42f0e8dfa1cb5464c6cb420b1b6aaaa0\n- https://github.com/micromatch/micromatch/pull/266\n- https://github.com/micromatch/micromatch/commit/03aa8052171e878897eee5d7bb2ae0ae83ec2ade\n- https://advisory.checkmarx.net/advisory/CVE-2024-4067\n- https://github.com/micromatch/micromatch/releases/tag/4.0.8\n- https://github.com/advisories/GHSA-952p-6rrq-rcjv","created":"2024-05-14T18:30:54.000Z","reported_by":null,"title":"Regular Expression Denial of Service (ReDoS) in micromatch","npm_advisory_id":null,"overview":"The NPM package `micromatch` prior to version 4.0.8 is vulnerable to Regular Expression Denial of Service (ReDoS). The vulnerability occurs in `micromatch.braces()` in `index.js` because the pattern `.*` will greedily match anything. By passing a malicious payload, the pattern matching will keep backtracking to the input while it doesn't find the closing bracket. As the input size increases, the consumption time will also increase until it causes the application to hang or slow down. There was a merged fix but further testing shows the issue persisted prior to https://github.com/micromatch/micromatch/pull/266. This issue should be mitigated by using a safe pattern that won't start backtracking the regular expression due to greedy matching.\n","url":"https://github.com/advisories/GHSA-952p-6rrq-rcjv"}}} +{"type":"auditAdvisory","data":{"resolution":{"id":1098681,"path":"react-scripts>jest>@jest/core>micromatch","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"4.0.5","paths":["@testing-library/jest-dom>@types/testing-library__jest-dom>@types/jest>expect>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>tailwindcss>fast-glob>micromatch","react-scripts>react-dev-utils>globby>fast-glob>micromatch","eslint-plugin-jest>@typescript-eslint/experimental-utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/parser>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest-resolve>jest-haste-map>micromatch","react-scripts>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>@jest/reporters>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>jest-config>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>jest-snapshot>@jest/transform>jest-haste-map>micromatch"]},{"version":"4.0.5","paths":["react-scripts>babel-jest>@jest/transform>micromatch","react-scripts>jest>@jest/core>@jest/transform>micromatch","react-scripts>jest>@jest/core>@jest/reporters>@jest/transform>micromatch","react-scripts>jest>@jest/core>jest-config>babel-jest>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>babel-jest>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>jest-snapshot>@jest/transform>micromatch"]},{"version":"4.0.5","paths":["react-scripts>eslint-webpack-plugin>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>jest-message-util>micromatch","react-scripts>jest>@jest/core>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/reporters>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/reporters>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/globals>@jest/environment>@jest/fake-timers>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>jest-config>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>micromatch","react-scripts>jest>jest-cli>@jest/core>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest-watch-typeahead>jest-watcher>@jest/test-result>@jest/console>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>tailwindcss>micromatch"]},{"version":"4.0.5","paths":["http-proxy-middleware>micromatch","react-scripts>webpack-dev-server>http-proxy-middleware>micromatch"]},{"version":"4.0.7","paths":["micromatch"]}],"metadata":null,"vulnerable_versions":"<4.0.8","module_name":"micromatch","severity":"moderate","github_advisory_id":"GHSA-952p-6rrq-rcjv","cves":["CVE-2024-4067"],"access":"public","patched_versions":">=4.0.8","cvss":{"score":5.3,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},"updated":"2024-08-28T13:12:27.000Z","recommendation":"Upgrade to version 4.0.8 or later","cwe":["CWE-1333"],"found_by":null,"deleted":null,"id":1098681,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2024-4067\n- https://github.com/micromatch/micromatch/issues/243\n- https://github.com/micromatch/micromatch/pull/247\n- https://devhub.checkmarx.com/cve-details/CVE-2024-4067\n- https://github.com/micromatch/micromatch/blob/2c56a8604b68c1099e7bc0f807ce0865a339747a/index.js#L448\n- https://github.com/micromatch/micromatch/commit/500d5d6f42f0e8dfa1cb5464c6cb420b1b6aaaa0\n- https://github.com/micromatch/micromatch/pull/266\n- https://github.com/micromatch/micromatch/commit/03aa8052171e878897eee5d7bb2ae0ae83ec2ade\n- https://advisory.checkmarx.net/advisory/CVE-2024-4067\n- https://github.com/micromatch/micromatch/releases/tag/4.0.8\n- https://github.com/advisories/GHSA-952p-6rrq-rcjv","created":"2024-05-14T18:30:54.000Z","reported_by":null,"title":"Regular Expression Denial of Service (ReDoS) in micromatch","npm_advisory_id":null,"overview":"The NPM package `micromatch` prior to version 4.0.8 is vulnerable to Regular Expression Denial of Service (ReDoS). The vulnerability occurs in `micromatch.braces()` in `index.js` because the pattern `.*` will greedily match anything. By passing a malicious payload, the pattern matching will keep backtracking to the input while it doesn't find the closing bracket. As the input size increases, the consumption time will also increase until it causes the application to hang or slow down. There was a merged fix but further testing shows the issue persisted prior to https://github.com/micromatch/micromatch/pull/266. This issue should be mitigated by using a safe pattern that won't start backtracking the regular expression due to greedy matching.\n","url":"https://github.com/advisories/GHSA-952p-6rrq-rcjv"}}} +{"type":"auditAdvisory","data":{"resolution":{"id":1098681,"path":"react-scripts>jest>jest-cli>@jest/core>micromatch","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"4.0.5","paths":["@testing-library/jest-dom>@types/testing-library__jest-dom>@types/jest>expect>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>tailwindcss>fast-glob>micromatch","react-scripts>react-dev-utils>globby>fast-glob>micromatch","eslint-plugin-jest>@typescript-eslint/experimental-utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/parser>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest-resolve>jest-haste-map>micromatch","react-scripts>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>@jest/reporters>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>jest-config>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>jest-snapshot>@jest/transform>jest-haste-map>micromatch"]},{"version":"4.0.5","paths":["react-scripts>babel-jest>@jest/transform>micromatch","react-scripts>jest>@jest/core>@jest/transform>micromatch","react-scripts>jest>@jest/core>@jest/reporters>@jest/transform>micromatch","react-scripts>jest>@jest/core>jest-config>babel-jest>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>babel-jest>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>jest-snapshot>@jest/transform>micromatch"]},{"version":"4.0.5","paths":["react-scripts>eslint-webpack-plugin>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>jest-message-util>micromatch","react-scripts>jest>@jest/core>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/reporters>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/reporters>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/globals>@jest/environment>@jest/fake-timers>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>jest-config>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>micromatch","react-scripts>jest>jest-cli>@jest/core>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest-watch-typeahead>jest-watcher>@jest/test-result>@jest/console>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>tailwindcss>micromatch"]},{"version":"4.0.5","paths":["http-proxy-middleware>micromatch","react-scripts>webpack-dev-server>http-proxy-middleware>micromatch"]},{"version":"4.0.7","paths":["micromatch"]}],"metadata":null,"vulnerable_versions":"<4.0.8","module_name":"micromatch","severity":"moderate","github_advisory_id":"GHSA-952p-6rrq-rcjv","cves":["CVE-2024-4067"],"access":"public","patched_versions":">=4.0.8","cvss":{"score":5.3,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},"updated":"2024-08-28T13:12:27.000Z","recommendation":"Upgrade to version 4.0.8 or later","cwe":["CWE-1333"],"found_by":null,"deleted":null,"id":1098681,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2024-4067\n- https://github.com/micromatch/micromatch/issues/243\n- https://github.com/micromatch/micromatch/pull/247\n- https://devhub.checkmarx.com/cve-details/CVE-2024-4067\n- https://github.com/micromatch/micromatch/blob/2c56a8604b68c1099e7bc0f807ce0865a339747a/index.js#L448\n- https://github.com/micromatch/micromatch/commit/500d5d6f42f0e8dfa1cb5464c6cb420b1b6aaaa0\n- https://github.com/micromatch/micromatch/pull/266\n- https://github.com/micromatch/micromatch/commit/03aa8052171e878897eee5d7bb2ae0ae83ec2ade\n- https://advisory.checkmarx.net/advisory/CVE-2024-4067\n- https://github.com/micromatch/micromatch/releases/tag/4.0.8\n- https://github.com/advisories/GHSA-952p-6rrq-rcjv","created":"2024-05-14T18:30:54.000Z","reported_by":null,"title":"Regular Expression Denial of Service (ReDoS) in micromatch","npm_advisory_id":null,"overview":"The NPM package `micromatch` prior to version 4.0.8 is vulnerable to Regular Expression Denial of Service (ReDoS). The vulnerability occurs in `micromatch.braces()` in `index.js` because the pattern `.*` will greedily match anything. By passing a malicious payload, the pattern matching will keep backtracking to the input while it doesn't find the closing bracket. As the input size increases, the consumption time will also increase until it causes the application to hang or slow down. There was a merged fix but further testing shows the issue persisted prior to https://github.com/micromatch/micromatch/pull/266. This issue should be mitigated by using a safe pattern that won't start backtracking the regular expression due to greedy matching.\n","url":"https://github.com/advisories/GHSA-952p-6rrq-rcjv"}}} +{"type":"auditAdvisory","data":{"resolution":{"id":1098681,"path":"react-scripts>jest-watch-typeahead>jest-watcher>@jest/test-result>@jest/console>jest-message-util>micromatch","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"4.0.5","paths":["@testing-library/jest-dom>@types/testing-library__jest-dom>@types/jest>expect>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>tailwindcss>fast-glob>micromatch","react-scripts>react-dev-utils>globby>fast-glob>micromatch","eslint-plugin-jest>@typescript-eslint/experimental-utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/parser>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest-resolve>jest-haste-map>micromatch","react-scripts>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>@jest/reporters>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>jest-config>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>jest-snapshot>@jest/transform>jest-haste-map>micromatch"]},{"version":"4.0.5","paths":["react-scripts>babel-jest>@jest/transform>micromatch","react-scripts>jest>@jest/core>@jest/transform>micromatch","react-scripts>jest>@jest/core>@jest/reporters>@jest/transform>micromatch","react-scripts>jest>@jest/core>jest-config>babel-jest>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>babel-jest>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>jest-snapshot>@jest/transform>micromatch"]},{"version":"4.0.5","paths":["react-scripts>eslint-webpack-plugin>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>jest-message-util>micromatch","react-scripts>jest>@jest/core>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/reporters>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/reporters>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/globals>@jest/environment>@jest/fake-timers>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>jest-config>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>micromatch","react-scripts>jest>jest-cli>@jest/core>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest-watch-typeahead>jest-watcher>@jest/test-result>@jest/console>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>tailwindcss>micromatch"]},{"version":"4.0.5","paths":["http-proxy-middleware>micromatch","react-scripts>webpack-dev-server>http-proxy-middleware>micromatch"]},{"version":"4.0.7","paths":["micromatch"]}],"metadata":null,"vulnerable_versions":"<4.0.8","module_name":"micromatch","severity":"moderate","github_advisory_id":"GHSA-952p-6rrq-rcjv","cves":["CVE-2024-4067"],"access":"public","patched_versions":">=4.0.8","cvss":{"score":5.3,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},"updated":"2024-08-28T13:12:27.000Z","recommendation":"Upgrade to version 4.0.8 or later","cwe":["CWE-1333"],"found_by":null,"deleted":null,"id":1098681,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2024-4067\n- https://github.com/micromatch/micromatch/issues/243\n- https://github.com/micromatch/micromatch/pull/247\n- https://devhub.checkmarx.com/cve-details/CVE-2024-4067\n- https://github.com/micromatch/micromatch/blob/2c56a8604b68c1099e7bc0f807ce0865a339747a/index.js#L448\n- https://github.com/micromatch/micromatch/commit/500d5d6f42f0e8dfa1cb5464c6cb420b1b6aaaa0\n- https://github.com/micromatch/micromatch/pull/266\n- https://github.com/micromatch/micromatch/commit/03aa8052171e878897eee5d7bb2ae0ae83ec2ade\n- https://advisory.checkmarx.net/advisory/CVE-2024-4067\n- https://github.com/micromatch/micromatch/releases/tag/4.0.8\n- https://github.com/advisories/GHSA-952p-6rrq-rcjv","created":"2024-05-14T18:30:54.000Z","reported_by":null,"title":"Regular Expression Denial of Service (ReDoS) in micromatch","npm_advisory_id":null,"overview":"The NPM package `micromatch` prior to version 4.0.8 is vulnerable to Regular Expression Denial of Service (ReDoS). The vulnerability occurs in `micromatch.braces()` in `index.js` because the pattern `.*` will greedily match anything. By passing a malicious payload, the pattern matching will keep backtracking to the input while it doesn't find the closing bracket. As the input size increases, the consumption time will also increase until it causes the application to hang or slow down. There was a merged fix but further testing shows the issue persisted prior to https://github.com/micromatch/micromatch/pull/266. This issue should be mitigated by using a safe pattern that won't start backtracking the regular expression due to greedy matching.\n","url":"https://github.com/advisories/GHSA-952p-6rrq-rcjv"}}} +{"type":"auditAdvisory","data":{"resolution":{"id":1098681,"path":"react-scripts>tailwindcss>micromatch","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"4.0.5","paths":["@testing-library/jest-dom>@types/testing-library__jest-dom>@types/jest>expect>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>tailwindcss>fast-glob>micromatch","react-scripts>react-dev-utils>globby>fast-glob>micromatch","eslint-plugin-jest>@typescript-eslint/experimental-utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/parser>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest-resolve>jest-haste-map>micromatch","react-scripts>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>@jest/reporters>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>jest-config>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>jest-snapshot>@jest/transform>jest-haste-map>micromatch"]},{"version":"4.0.5","paths":["react-scripts>babel-jest>@jest/transform>micromatch","react-scripts>jest>@jest/core>@jest/transform>micromatch","react-scripts>jest>@jest/core>@jest/reporters>@jest/transform>micromatch","react-scripts>jest>@jest/core>jest-config>babel-jest>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>babel-jest>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>jest-snapshot>@jest/transform>micromatch"]},{"version":"4.0.5","paths":["react-scripts>eslint-webpack-plugin>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>jest-message-util>micromatch","react-scripts>jest>@jest/core>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/reporters>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/reporters>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/globals>@jest/environment>@jest/fake-timers>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>jest-config>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>micromatch","react-scripts>jest>jest-cli>@jest/core>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest-watch-typeahead>jest-watcher>@jest/test-result>@jest/console>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>tailwindcss>micromatch"]},{"version":"4.0.5","paths":["http-proxy-middleware>micromatch","react-scripts>webpack-dev-server>http-proxy-middleware>micromatch"]},{"version":"4.0.7","paths":["micromatch"]}],"metadata":null,"vulnerable_versions":"<4.0.8","module_name":"micromatch","severity":"moderate","github_advisory_id":"GHSA-952p-6rrq-rcjv","cves":["CVE-2024-4067"],"access":"public","patched_versions":">=4.0.8","cvss":{"score":5.3,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},"updated":"2024-08-28T13:12:27.000Z","recommendation":"Upgrade to version 4.0.8 or later","cwe":["CWE-1333"],"found_by":null,"deleted":null,"id":1098681,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2024-4067\n- https://github.com/micromatch/micromatch/issues/243\n- https://github.com/micromatch/micromatch/pull/247\n- https://devhub.checkmarx.com/cve-details/CVE-2024-4067\n- https://github.com/micromatch/micromatch/blob/2c56a8604b68c1099e7bc0f807ce0865a339747a/index.js#L448\n- https://github.com/micromatch/micromatch/commit/500d5d6f42f0e8dfa1cb5464c6cb420b1b6aaaa0\n- https://github.com/micromatch/micromatch/pull/266\n- https://github.com/micromatch/micromatch/commit/03aa8052171e878897eee5d7bb2ae0ae83ec2ade\n- https://advisory.checkmarx.net/advisory/CVE-2024-4067\n- https://github.com/micromatch/micromatch/releases/tag/4.0.8\n- https://github.com/advisories/GHSA-952p-6rrq-rcjv","created":"2024-05-14T18:30:54.000Z","reported_by":null,"title":"Regular Expression Denial of Service (ReDoS) in micromatch","npm_advisory_id":null,"overview":"The NPM package `micromatch` prior to version 4.0.8 is vulnerable to Regular Expression Denial of Service (ReDoS). The vulnerability occurs in `micromatch.braces()` in `index.js` because the pattern `.*` will greedily match anything. By passing a malicious payload, the pattern matching will keep backtracking to the input while it doesn't find the closing bracket. As the input size increases, the consumption time will also increase until it causes the application to hang or slow down. There was a merged fix but further testing shows the issue persisted prior to https://github.com/micromatch/micromatch/pull/266. This issue should be mitigated by using a safe pattern that won't start backtracking the regular expression due to greedy matching.\n","url":"https://github.com/advisories/GHSA-952p-6rrq-rcjv"}}} +{"type":"auditAdvisory","data":{"resolution":{"id":1098681,"path":"http-proxy-middleware>micromatch","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"4.0.5","paths":["@testing-library/jest-dom>@types/testing-library__jest-dom>@types/jest>expect>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>tailwindcss>fast-glob>micromatch","react-scripts>react-dev-utils>globby>fast-glob>micromatch","eslint-plugin-jest>@typescript-eslint/experimental-utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/parser>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest-resolve>jest-haste-map>micromatch","react-scripts>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>@jest/reporters>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>jest-config>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>jest-snapshot>@jest/transform>jest-haste-map>micromatch"]},{"version":"4.0.5","paths":["react-scripts>babel-jest>@jest/transform>micromatch","react-scripts>jest>@jest/core>@jest/transform>micromatch","react-scripts>jest>@jest/core>@jest/reporters>@jest/transform>micromatch","react-scripts>jest>@jest/core>jest-config>babel-jest>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>babel-jest>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>jest-snapshot>@jest/transform>micromatch"]},{"version":"4.0.5","paths":["react-scripts>eslint-webpack-plugin>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>jest-message-util>micromatch","react-scripts>jest>@jest/core>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/reporters>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/reporters>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/globals>@jest/environment>@jest/fake-timers>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>jest-config>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>micromatch","react-scripts>jest>jest-cli>@jest/core>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest-watch-typeahead>jest-watcher>@jest/test-result>@jest/console>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>tailwindcss>micromatch"]},{"version":"4.0.5","paths":["http-proxy-middleware>micromatch","react-scripts>webpack-dev-server>http-proxy-middleware>micromatch"]},{"version":"4.0.7","paths":["micromatch"]}],"metadata":null,"vulnerable_versions":"<4.0.8","module_name":"micromatch","severity":"moderate","github_advisory_id":"GHSA-952p-6rrq-rcjv","cves":["CVE-2024-4067"],"access":"public","patched_versions":">=4.0.8","cvss":{"score":5.3,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},"updated":"2024-08-28T13:12:27.000Z","recommendation":"Upgrade to version 4.0.8 or later","cwe":["CWE-1333"],"found_by":null,"deleted":null,"id":1098681,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2024-4067\n- https://github.com/micromatch/micromatch/issues/243\n- https://github.com/micromatch/micromatch/pull/247\n- https://devhub.checkmarx.com/cve-details/CVE-2024-4067\n- https://github.com/micromatch/micromatch/blob/2c56a8604b68c1099e7bc0f807ce0865a339747a/index.js#L448\n- https://github.com/micromatch/micromatch/commit/500d5d6f42f0e8dfa1cb5464c6cb420b1b6aaaa0\n- https://github.com/micromatch/micromatch/pull/266\n- https://github.com/micromatch/micromatch/commit/03aa8052171e878897eee5d7bb2ae0ae83ec2ade\n- https://advisory.checkmarx.net/advisory/CVE-2024-4067\n- https://github.com/micromatch/micromatch/releases/tag/4.0.8\n- https://github.com/advisories/GHSA-952p-6rrq-rcjv","created":"2024-05-14T18:30:54.000Z","reported_by":null,"title":"Regular Expression Denial of Service (ReDoS) in micromatch","npm_advisory_id":null,"overview":"The NPM package `micromatch` prior to version 4.0.8 is vulnerable to Regular Expression Denial of Service (ReDoS). The vulnerability occurs in `micromatch.braces()` in `index.js` because the pattern `.*` will greedily match anything. By passing a malicious payload, the pattern matching will keep backtracking to the input while it doesn't find the closing bracket. As the input size increases, the consumption time will also increase until it causes the application to hang or slow down. There was a merged fix but further testing shows the issue persisted prior to https://github.com/micromatch/micromatch/pull/266. This issue should be mitigated by using a safe pattern that won't start backtracking the regular expression due to greedy matching.\n","url":"https://github.com/advisories/GHSA-952p-6rrq-rcjv"}}} +{"type":"auditAdvisory","data":{"resolution":{"id":1098681,"path":"react-scripts>webpack-dev-server>http-proxy-middleware>micromatch","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"4.0.5","paths":["@testing-library/jest-dom>@types/testing-library__jest-dom>@types/jest>expect>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>tailwindcss>fast-glob>micromatch","react-scripts>react-dev-utils>globby>fast-glob>micromatch","eslint-plugin-jest>@typescript-eslint/experimental-utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/parser>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest-resolve>jest-haste-map>micromatch","react-scripts>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>@jest/reporters>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>jest-config>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>jest-snapshot>@jest/transform>jest-haste-map>micromatch"]},{"version":"4.0.5","paths":["react-scripts>babel-jest>@jest/transform>micromatch","react-scripts>jest>@jest/core>@jest/transform>micromatch","react-scripts>jest>@jest/core>@jest/reporters>@jest/transform>micromatch","react-scripts>jest>@jest/core>jest-config>babel-jest>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>babel-jest>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>jest-snapshot>@jest/transform>micromatch"]},{"version":"4.0.5","paths":["react-scripts>eslint-webpack-plugin>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>jest-message-util>micromatch","react-scripts>jest>@jest/core>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/reporters>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/reporters>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/globals>@jest/environment>@jest/fake-timers>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>jest-config>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>micromatch","react-scripts>jest>jest-cli>@jest/core>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest-watch-typeahead>jest-watcher>@jest/test-result>@jest/console>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>tailwindcss>micromatch"]},{"version":"4.0.5","paths":["http-proxy-middleware>micromatch","react-scripts>webpack-dev-server>http-proxy-middleware>micromatch"]},{"version":"4.0.7","paths":["micromatch"]}],"metadata":null,"vulnerable_versions":"<4.0.8","module_name":"micromatch","severity":"moderate","github_advisory_id":"GHSA-952p-6rrq-rcjv","cves":["CVE-2024-4067"],"access":"public","patched_versions":">=4.0.8","cvss":{"score":5.3,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},"updated":"2024-08-28T13:12:27.000Z","recommendation":"Upgrade to version 4.0.8 or later","cwe":["CWE-1333"],"found_by":null,"deleted":null,"id":1098681,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2024-4067\n- https://github.com/micromatch/micromatch/issues/243\n- https://github.com/micromatch/micromatch/pull/247\n- https://devhub.checkmarx.com/cve-details/CVE-2024-4067\n- https://github.com/micromatch/micromatch/blob/2c56a8604b68c1099e7bc0f807ce0865a339747a/index.js#L448\n- https://github.com/micromatch/micromatch/commit/500d5d6f42f0e8dfa1cb5464c6cb420b1b6aaaa0\n- https://github.com/micromatch/micromatch/pull/266\n- https://github.com/micromatch/micromatch/commit/03aa8052171e878897eee5d7bb2ae0ae83ec2ade\n- https://advisory.checkmarx.net/advisory/CVE-2024-4067\n- https://github.com/micromatch/micromatch/releases/tag/4.0.8\n- https://github.com/advisories/GHSA-952p-6rrq-rcjv","created":"2024-05-14T18:30:54.000Z","reported_by":null,"title":"Regular Expression Denial of Service (ReDoS) in micromatch","npm_advisory_id":null,"overview":"The NPM package `micromatch` prior to version 4.0.8 is vulnerable to Regular Expression Denial of Service (ReDoS). The vulnerability occurs in `micromatch.braces()` in `index.js` because the pattern `.*` will greedily match anything. By passing a malicious payload, the pattern matching will keep backtracking to the input while it doesn't find the closing bracket. As the input size increases, the consumption time will also increase until it causes the application to hang or slow down. There was a merged fix but further testing shows the issue persisted prior to https://github.com/micromatch/micromatch/pull/266. This issue should be mitigated by using a safe pattern that won't start backtracking the regular expression due to greedy matching.\n","url":"https://github.com/advisories/GHSA-952p-6rrq-rcjv"}}} +{"type":"auditAdvisory","data":{"resolution":{"id":1098681,"path":"micromatch","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"4.0.5","paths":["@testing-library/jest-dom>@types/testing-library__jest-dom>@types/jest>expect>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>tailwindcss>fast-glob>micromatch","react-scripts>react-dev-utils>globby>fast-glob>micromatch","eslint-plugin-jest>@typescript-eslint/experimental-utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/parser>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch","react-scripts>eslint-config-react-app>@typescript-eslint/eslint-plugin>@typescript-eslint/type-utils>@typescript-eslint/utils>@typescript-eslint/typescript-estree>globby>fast-glob>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest-resolve>jest-haste-map>micromatch","react-scripts>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>@jest/reporters>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>@jest/core>jest-config>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>babel-jest>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/transform>jest-haste-map>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>jest-snapshot>@jest/transform>jest-haste-map>micromatch"]},{"version":"4.0.5","paths":["react-scripts>babel-jest>@jest/transform>micromatch","react-scripts>jest>@jest/core>@jest/transform>micromatch","react-scripts>jest>@jest/core>@jest/reporters>@jest/transform>micromatch","react-scripts>jest>@jest/core>jest-config>babel-jest>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>babel-jest>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/transform>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>jest-snapshot>@jest/transform>micromatch"]},{"version":"4.0.5","paths":["react-scripts>eslint-webpack-plugin>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>jest-message-util>micromatch","react-scripts>jest>@jest/core>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/reporters>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>@jest/reporters>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/test-result>@jest/console>jest-message-util>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/globals>@jest/environment>@jest/fake-timers>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>jest-config>micromatch","react-scripts>jest>jest-cli>@jest/core>jest-config>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest>@jest/core>micromatch","react-scripts>jest>jest-cli>@jest/core>micromatch"]},{"version":"4.0.5","paths":["react-scripts>jest-watch-typeahead>jest-watcher>@jest/test-result>@jest/console>jest-message-util>micromatch"]},{"version":"4.0.5","paths":["react-scripts>tailwindcss>micromatch"]},{"version":"4.0.5","paths":["http-proxy-middleware>micromatch","react-scripts>webpack-dev-server>http-proxy-middleware>micromatch"]},{"version":"4.0.7","paths":["micromatch"]}],"metadata":null,"vulnerable_versions":"<4.0.8","module_name":"micromatch","severity":"moderate","github_advisory_id":"GHSA-952p-6rrq-rcjv","cves":["CVE-2024-4067"],"access":"public","patched_versions":">=4.0.8","cvss":{"score":5.3,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},"updated":"2024-08-28T13:12:27.000Z","recommendation":"Upgrade to version 4.0.8 or later","cwe":["CWE-1333"],"found_by":null,"deleted":null,"id":1098681,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2024-4067\n- https://github.com/micromatch/micromatch/issues/243\n- https://github.com/micromatch/micromatch/pull/247\n- https://devhub.checkmarx.com/cve-details/CVE-2024-4067\n- https://github.com/micromatch/micromatch/blob/2c56a8604b68c1099e7bc0f807ce0865a339747a/index.js#L448\n- https://github.com/micromatch/micromatch/commit/500d5d6f42f0e8dfa1cb5464c6cb420b1b6aaaa0\n- https://github.com/micromatch/micromatch/pull/266\n- https://github.com/micromatch/micromatch/commit/03aa8052171e878897eee5d7bb2ae0ae83ec2ade\n- https://advisory.checkmarx.net/advisory/CVE-2024-4067\n- https://github.com/micromatch/micromatch/releases/tag/4.0.8\n- https://github.com/advisories/GHSA-952p-6rrq-rcjv","created":"2024-05-14T18:30:54.000Z","reported_by":null,"title":"Regular Expression Denial of Service (ReDoS) in micromatch","npm_advisory_id":null,"overview":"The NPM package `micromatch` prior to version 4.0.8 is vulnerable to Regular Expression Denial of Service (ReDoS). The vulnerability occurs in `micromatch.braces()` in `index.js` because the pattern `.*` will greedily match anything. By passing a malicious payload, the pattern matching will keep backtracking to the input while it doesn't find the closing bracket. As the input size increases, the consumption time will also increase until it causes the application to hang or slow down. There was a merged fix but further testing shows the issue persisted prior to https://github.com/micromatch/micromatch/pull/266. This issue should be mitigated by using a safe pattern that won't start backtracking the regular expression due to greedy matching.\n","url":"https://github.com/advisories/GHSA-952p-6rrq-rcjv"}}} From 06c47b58325f319f91dc24f7bf93422db6a37c71 Mon Sep 17 00:00:00 2001 From: GarrettEHill Date: Wed, 28 Aug 2024 09:23:09 -0700 Subject: [PATCH 082/138] Update s3.test.js --- src/lib/s3.test.js | 95 ++++++++++++++++++++++++++++++++++++++-------- 1 file changed, 80 insertions(+), 15 deletions(-) diff --git a/src/lib/s3.test.js b/src/lib/s3.test.js index 1d309ca32f..a228992592 100644 --- a/src/lib/s3.test.js +++ b/src/lib/s3.test.js @@ -41,6 +41,7 @@ const VCAP_SERVICES = { describe('Tests s3 client setup', () => { afterEach(() => { process.env = oldEnv; }); + it('returns proper config with process.env.VCAP_SERVICES set', () => { process.env.VCAP_SERVICES = JSON.stringify(VCAP_SERVICES); const { credentials } = VCAP_SERVICES.s3[0]; @@ -57,6 +58,7 @@ describe('Tests s3 client setup', () => { const got = generateS3Config(); expect(got).toMatchObject(want); }); + it('returns proper config with process.env.VCAP_SERVICES not set', () => { process.env.S3_BUCKET = 'test-bucket'; process.env.AWS_ACCESS_KEY_ID = 'superSecretAccessKeyId'; @@ -76,6 +78,21 @@ describe('Tests s3 client setup', () => { const got = generateS3Config(); expect(got).toMatchObject(want); }); + + it('returns null config when no S3 environment variables or VCAP_SERVICES are set', () => { + delete process.env.VCAP_SERVICES; + delete process.env.S3_BUCKET; + delete process.env.AWS_ACCESS_KEY_ID; + delete process.env.AWS_SECRET_ACCESS_KEY; + delete process.env.S3_ENDPOINT; + + const want = { + bucketName: null, + s3Config: null, + }; + const got = generateS3Config(); + expect(got).toMatchObject(want); + }); }); const mockVersioningData = { @@ -84,18 +101,31 @@ const mockVersioningData = { }; describe('verifyVersioning', () => { - let mockGet = jest.spyOn(s3, 'getBucketVersioning').mockImplementation(async () => mockVersioningData); - const mockPut = jest.spyOn(s3, 'putBucketVersioning').mockImplementation(async (params) => new Promise((res) => { res(params); })); + let mockGet; + let mockPut; + beforeEach(() => { + mockGet = jest.spyOn(s3, 'getBucketVersioning').mockImplementation(async () => mockVersioningData); + mockPut = jest.spyOn(s3, 'putBucketVersioning').mockImplementation(async (params) => new Promise((res) => { res(params); })); mockGet.mockClear(); mockPut.mockClear(); }); + + afterEach(() => { + jest.restoreAllMocks(); + }); + + it('throws an error if S3 is not configured', async () => { + expect(verifyVersioning()).rejects.toThrow('S3 is not configured.'); + }); + it('Doesn\'t change things if versioning is enabled', async () => { const got = await verifyVersioning(); expect(mockGet.mock.calls.length).toBe(1); expect(mockPut.mock.calls.length).toBe(0); expect(got).toBe(mockVersioningData); }); + it('Enables versioning if it is disabled', async () => { mockGet = jest.spyOn(s3, 'getBucketVersioning').mockImplementationOnce(async () => { }); const got = await verifyVersioning(process.env.S3_BUCKET); @@ -121,22 +151,25 @@ describe('uploadFile', () => { const promise = { promise: () => new Promise((resolve) => { resolve(response); }), }; - const mockUpload = jest.spyOn(s3, 'upload').mockImplementation(() => promise); - const mockGet = jest.spyOn(s3, 'getBucketVersioning').mockImplementation(async () => mockVersioningData); + let mockUpload; + let mockGet; + beforeEach(() => { + mockUpload = jest.spyOn(s3, 'upload').mockImplementation(() => promise); + mockGet = jest.spyOn(s3, 'getBucketVersioning').mockImplementation(async () => mockVersioningData); mockUpload.mockClear(); mockGet.mockClear(); }); + afterAll(() => { process.env = oldEnv; }); - it('Correctly Uploads the file', async () => { + it('throws an error if S3 is not configured', async () => { process.env.NODE_ENV = 'development'; - const got = await uploadFile(buf, name, goodType); - expect(mockGet.mock.calls.length).toBe(0); - await expect(got).toBe(response); + expect(uploadFile(buf, name, goodType)).rejects.toThrow('S3 is not configured.'); }); + it('Correctly Uploads the file and checks versioning', async () => { process.env.NODE_ENV = 'production'; const got = await uploadFile(buf, name, goodType); @@ -145,20 +178,29 @@ describe('uploadFile', () => { }); }); -describe('getPresignedUrl', () => { +describe('getPresignedURL', () => { const Bucket = 'fakeBucket'; const Key = 'fakeKey'; const fakeError = new Error('fake error'); - const mockGetURL = jest.spyOn(s3, 'getSignedUrl').mockImplementation(() => 'https://example.com'); + let mockGetURL; + beforeEach(() => { + mockGetURL = jest.spyOn(s3, 'getSignedUrl').mockImplementation(() => 'https://example.com'); mockGetURL.mockClear(); }); + + it('returns an error if S3 is not configured', () => { + const url = getPresignedURL(Key, Bucket, null); + expect(url).toMatchObject({ url: null, error: new Error('S3 is not configured.') }); + }); + it('calls getSignedUrl() with correct parameters', () => { const url = getPresignedURL(Key, Bucket); expect(url).toMatchObject({ url: 'https://example.com', error: null }); expect(mockGetURL).toHaveBeenCalled(); expect(mockGetURL).toHaveBeenCalledWith('getObject', { Bucket, Key, Expires: 360 }); }); + it('calls getSignedUrl() with incorrect parameters', async () => { mockGetURL.mockImplementationOnce(() => { throw fakeError; }); const url = getPresignedURL(Key, Bucket); @@ -167,18 +209,30 @@ describe('getPresignedUrl', () => { expect(mockGetURL).toHaveBeenCalledWith('getObject', { Bucket, Key, Expires: 360 }); }); }); + describe('s3Uploader.deleteFileFromS3', () => { const Bucket = 'fakeBucket'; const Key = 'fakeKey'; const anotherFakeError = Error('fake'); + let mockDeleteObject; + + beforeEach(() => { + mockDeleteObject = jest.spyOn(s3, 'deleteObject').mockImplementation(() => ({ promise: () => Promise.resolve('good') })); + mockDeleteObject.mockClear(); + }); + + it('throws an error if S3 is not configured', async () => { + expect(deleteFileFromS3(Key, Bucket, null)).rejects.toThrow('S3 is not configured.'); + }); + it('calls deleteFileFromS3() with correct parameters', async () => { - const mockDeleteObject = jest.spyOn(s3, 'deleteObject').mockImplementation(() => ({ promise: () => Promise.resolve('good') })); const got = deleteFileFromS3(Key, Bucket); await expect(got).resolves.toBe('good'); expect(mockDeleteObject).toHaveBeenCalledWith({ Bucket, Key }); }); + it('throws an error if promise rejects', async () => { - const mockDeleteObject = jest.spyOn(s3, 'deleteObject').mockImplementationOnce( + mockDeleteObject.mockImplementationOnce( () => ({ promise: () => Promise.reject(anotherFakeError) }), ); const got = deleteFileFromS3(Key); @@ -187,20 +241,31 @@ describe('s3Uploader.deleteFileFromS3', () => { }); }); -describe('s3Uploader.deleteFileFromJobS3', () => { +describe('s3Uploader.deleteFileFromS3Job', () => { const Bucket = 'fakeBucket'; const Key = 'fakeKey'; const anotherFakeError = Error({ statusCode: 500 }); + let mockDeleteObject; + + beforeEach(() => { + mockDeleteObject = jest.spyOn(s3, 'deleteObject').mockImplementation(() => ({ promise: () => Promise.resolve({ status: 200, data: {} }) })); + mockDeleteObject.mockClear(); + }); + + it('throws an error if S3 is not configured', async () => { + expect(deleteFileFromS3Job({ data: { fileId: 1, fileKey: Key, bucket: Bucket } }, null)).rejects.toThrow('S3 is not configured.'); + }); + it('calls deleteFileFromS3Job() with correct parameters', async () => { - const mockDeleteObject = jest.spyOn(s3, 'deleteObject').mockImplementation(() => ({ promise: () => Promise.resolve({ status: 200, data: {} }) })); const got = deleteFileFromS3Job({ data: { fileId: 1, fileKey: Key, bucket: Bucket } }); await expect(got).resolves.toStrictEqual({ status: 200, data: { fileId: 1, fileKey: Key, res: { data: {}, status: 200 } }, }); expect(mockDeleteObject).toHaveBeenCalledWith({ Bucket, Key }); }); + it('throws an error if promise rejects', async () => { - const mockDeleteObject = jest.spyOn(s3, 'deleteObject').mockImplementationOnce( + mockDeleteObject.mockImplementationOnce( () => ({ promise: () => Promise.reject(anotherFakeError) }), ); const got = deleteFileFromS3Job({ data: { fileId: 1, fileKey: Key, bucket: Bucket } }); From 3cd6fd62925e109729b287050a5137d4c1299c5f Mon Sep 17 00:00:00 2001 From: GarrettEHill Date: Wed, 28 Aug 2024 09:29:33 -0700 Subject: [PATCH 083/138] Update s3.test.js --- src/lib/s3.test.js | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/src/lib/s3.test.js b/src/lib/s3.test.js index a228992592..138aa1c5cf 100644 --- a/src/lib/s3.test.js +++ b/src/lib/s3.test.js @@ -116,7 +116,7 @@ describe('verifyVersioning', () => { }); it('throws an error if S3 is not configured', async () => { - expect(verifyVersioning()).rejects.toThrow('S3 is not configured.'); + await expect(verifyVersioning()).rejects.toThrow('S3 is not configured.'); }); it('Doesn\'t change things if versioning is enabled', async () => { @@ -167,7 +167,7 @@ describe('uploadFile', () => { it('throws an error if S3 is not configured', async () => { process.env.NODE_ENV = 'development'; - expect(uploadFile(buf, name, goodType)).rejects.toThrow('S3 is not configured.'); + await expect(uploadFile(buf, name, goodType)).rejects.toThrow('S3 is not configured.'); }); it('Correctly Uploads the file and checks versioning', async () => { @@ -222,7 +222,7 @@ describe('s3Uploader.deleteFileFromS3', () => { }); it('throws an error if S3 is not configured', async () => { - expect(deleteFileFromS3(Key, Bucket, null)).rejects.toThrow('S3 is not configured.'); + await expect(deleteFileFromS3(Key, Bucket, null)).rejects.toThrow('S3 is not configured.'); }); it('calls deleteFileFromS3() with correct parameters', async () => { @@ -253,7 +253,7 @@ describe('s3Uploader.deleteFileFromS3Job', () => { }); it('throws an error if S3 is not configured', async () => { - expect(deleteFileFromS3Job({ data: { fileId: 1, fileKey: Key, bucket: Bucket } }, null)).rejects.toThrow('S3 is not configured.'); + await expect(deleteFileFromS3Job({ data: { fileId: 1, fileKey: Key, bucket: Bucket } }, null)).rejects.toThrow('S3 is not configured.'); }); it('calls deleteFileFromS3Job() with correct parameters', async () => { From 538109f4c82770a8c29e35056a2c3fc851db7b69 Mon Sep 17 00:00:00 2001 From: GarrettEHill Date: Wed, 28 Aug 2024 09:47:15 -0700 Subject: [PATCH 084/138] Update s3.test.js --- src/lib/s3.test.js | 42 +++++++++++++++++++++++++++--------------- 1 file changed, 27 insertions(+), 15 deletions(-) diff --git a/src/lib/s3.test.js b/src/lib/s3.test.js index 138aa1c5cf..417842e0a6 100644 --- a/src/lib/s3.test.js +++ b/src/lib/s3.test.js @@ -105,10 +105,12 @@ describe('verifyVersioning', () => { let mockPut; beforeEach(() => { - mockGet = jest.spyOn(s3, 'getBucketVersioning').mockImplementation(async () => mockVersioningData); - mockPut = jest.spyOn(s3, 'putBucketVersioning').mockImplementation(async (params) => new Promise((res) => { res(params); })); - mockGet.mockClear(); - mockPut.mockClear(); + if (s3) { + mockGet = jest.spyOn(s3, 'getBucketVersioning').mockImplementation(async () => mockVersioningData); + mockPut = jest.spyOn(s3, 'putBucketVersioning').mockImplementation(async (params) => new Promise((res) => { res(params); })); + mockGet.mockClear(); + mockPut.mockClear(); + } }); afterEach(() => { @@ -127,7 +129,9 @@ describe('verifyVersioning', () => { }); it('Enables versioning if it is disabled', async () => { - mockGet = jest.spyOn(s3, 'getBucketVersioning').mockImplementationOnce(async () => { }); + if (s3) { + mockGet = jest.spyOn(s3, 'getBucketVersioning').mockImplementationOnce(async () => { }); + } const got = await verifyVersioning(process.env.S3_BUCKET); expect(mockGet.mock.calls.length).toBe(1); expect(mockPut.mock.calls.length).toBe(1); @@ -155,10 +159,12 @@ describe('uploadFile', () => { let mockGet; beforeEach(() => { - mockUpload = jest.spyOn(s3, 'upload').mockImplementation(() => promise); - mockGet = jest.spyOn(s3, 'getBucketVersioning').mockImplementation(async () => mockVersioningData); - mockUpload.mockClear(); - mockGet.mockClear(); + if (s3) { + mockUpload = jest.spyOn(s3, 'upload').mockImplementation(() => promise); + mockGet = jest.spyOn(s3, 'getBucketVersioning').mockImplementation(async () => mockVersioningData); + mockUpload.mockClear(); + mockGet.mockClear(); + } }); afterAll(() => { @@ -185,8 +191,10 @@ describe('getPresignedURL', () => { let mockGetURL; beforeEach(() => { - mockGetURL = jest.spyOn(s3, 'getSignedUrl').mockImplementation(() => 'https://example.com'); - mockGetURL.mockClear(); + if (s3) { + mockGetURL = jest.spyOn(s3, 'getSignedUrl').mockImplementation(() => 'https://example.com'); + mockGetURL.mockClear(); + } }); it('returns an error if S3 is not configured', () => { @@ -217,8 +225,10 @@ describe('s3Uploader.deleteFileFromS3', () => { let mockDeleteObject; beforeEach(() => { - mockDeleteObject = jest.spyOn(s3, 'deleteObject').mockImplementation(() => ({ promise: () => Promise.resolve('good') })); - mockDeleteObject.mockClear(); + if (s3) { + mockDeleteObject = jest.spyOn(s3, 'deleteObject').mockImplementation(() => ({ promise: () => Promise.resolve('good') })); + mockDeleteObject.mockClear(); + } }); it('throws an error if S3 is not configured', async () => { @@ -248,8 +258,10 @@ describe('s3Uploader.deleteFileFromS3Job', () => { let mockDeleteObject; beforeEach(() => { - mockDeleteObject = jest.spyOn(s3, 'deleteObject').mockImplementation(() => ({ promise: () => Promise.resolve({ status: 200, data: {} }) })); - mockDeleteObject.mockClear(); + if (s3) { + mockDeleteObject = jest.spyOn(s3, 'deleteObject').mockImplementation(() => ({ promise: () => Promise.resolve({ status: 200, data: {} }) })); + mockDeleteObject.mockClear(); + } }); it('throws an error if S3 is not configured', async () => { From 9dd42190f8aaaed069c634e1f3c112d318175e49 Mon Sep 17 00:00:00 2001 From: GarrettEHill Date: Wed, 28 Aug 2024 11:44:41 -0700 Subject: [PATCH 085/138] updates to support running without s3 --- src/lib/s3.js | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/src/lib/s3.js b/src/lib/s3.js index bdce317253..1431056c88 100644 --- a/src/lib/s3.js +++ b/src/lib/s3.js @@ -65,13 +65,13 @@ const deleteFileFromS3 = async (key, bucket = bucketName, s3Client = s3) => { return s3Client.deleteObject(params).promise(); }; -const deleteFileFromS3Job = async (job) => { +const deleteFileFromS3Job = async (job, s3Client = s3) => { const { fileId, fileKey, bucket, } = job.data; let res; try { - res = await deleteFileFromS3(fileKey, bucket); + res = await deleteFileFromS3(fileKey, bucket, s3Client); return ({ status: 200, data: { fileId, fileKey, res } }); } catch (error) { auditLogger.error(`S3 Queue Error: Unable to DELETE file '${fileId}' for key '${fileKey}': ${error.message}`); @@ -101,15 +101,15 @@ const verifyVersioning = async (bucket = bucketName, s3Client = s3) => { return data; }; -const downloadFile = (key) => { - if (!s3 || !bucketName) { +const downloadFile = (key, s3Client = s3) => { + if (!s3Client || !bucketName) { throw new Error('S3 is not configured.'); } const params = { Bucket: bucketName, Key: key, }; - return s3.getObject(params).promise(); + return s3Client.getObject(params).promise(); }; const getPresignedURL = (Key, Bucket = bucketName, s3Client = s3, Expires = 360) => { From 0547f12c130bd1b0a9b46938968859dc7d447e6c Mon Sep 17 00:00:00 2001 From: GarrettEHill Date: Wed, 28 Aug 2024 11:44:59 -0700 Subject: [PATCH 086/138] test changes to support running without s3 --- src/lib/s3.test.js | 72 +++++++++++++++++++++++++--------------------- 1 file changed, 40 insertions(+), 32 deletions(-) diff --git a/src/lib/s3.test.js b/src/lib/s3.test.js index 417842e0a6..2450ab76ff 100644 --- a/src/lib/s3.test.js +++ b/src/lib/s3.test.js @@ -1,4 +1,5 @@ import { v4 as uuidv4 } from 'uuid'; +import { S3 } from 'aws-sdk'; import { s3, verifyVersioning, @@ -9,6 +10,17 @@ import { deleteFileFromS3Job, } from './s3'; +jest.mock('aws-sdk', () => { + const mS3 = { + getBucketVersioning: jest.fn(), + putBucketVersioning: jest.fn(), + upload: jest.fn(), + getSignedUrl: jest.fn(), + deleteObject: jest.fn(), + }; + return { S3: jest.fn(() => mS3) }; +}); + const oldEnv = { ...process.env }; const VCAP_SERVICES = { s3: [ @@ -105,12 +117,12 @@ describe('verifyVersioning', () => { let mockPut; beforeEach(() => { - if (s3) { - mockGet = jest.spyOn(s3, 'getBucketVersioning').mockImplementation(async () => mockVersioningData); - mockPut = jest.spyOn(s3, 'putBucketVersioning').mockImplementation(async (params) => new Promise((res) => { res(params); })); - mockGet.mockClear(); - mockPut.mockClear(); - } + mockGet = S3().getBucketVersioning.mockImplementation(async () => mockVersioningData); + mockPut = S3().putBucketVersioning.mockImplementation(async (params) => new Promise((res) => { + res(params); + })); + mockGet.mockClear(); + mockPut.mockClear(); }); afterEach(() => { @@ -118,7 +130,7 @@ describe('verifyVersioning', () => { }); it('throws an error if S3 is not configured', async () => { - await expect(verifyVersioning()).rejects.toThrow('S3 is not configured.'); + await expect(verifyVersioning(VCAP_SERVICES.s3[0].binding_name, null)).rejects.toThrow('S3 is not configured.'); }); it('Doesn\'t change things if versioning is enabled', async () => { @@ -129,9 +141,7 @@ describe('verifyVersioning', () => { }); it('Enables versioning if it is disabled', async () => { - if (s3) { - mockGet = jest.spyOn(s3, 'getBucketVersioning').mockImplementationOnce(async () => { }); - } + mockGet.mockImplementationOnce(async () => { }); // Simulate disabled versioning const got = await verifyVersioning(process.env.S3_BUCKET); expect(mockGet.mock.calls.length).toBe(1); expect(mockPut.mock.calls.length).toBe(1); @@ -159,12 +169,8 @@ describe('uploadFile', () => { let mockGet; beforeEach(() => { - if (s3) { - mockUpload = jest.spyOn(s3, 'upload').mockImplementation(() => promise); - mockGet = jest.spyOn(s3, 'getBucketVersioning').mockImplementation(async () => mockVersioningData); - mockUpload.mockClear(); - mockGet.mockClear(); - } + mockUpload = s3.upload.mockImplementation(() => promise); + mockGet = s3.getBucketVersioning.mockImplementation(async () => mockVersioningData); }); afterAll(() => { @@ -172,8 +178,7 @@ describe('uploadFile', () => { }); it('throws an error if S3 is not configured', async () => { - process.env.NODE_ENV = 'development'; - await expect(uploadFile(buf, name, goodType)).rejects.toThrow('S3 is not configured.'); + await expect(uploadFile(buf, name, goodType, null)).rejects.toThrow('S3 is not configured.'); }); it('Correctly Uploads the file and checks versioning', async () => { @@ -191,10 +196,7 @@ describe('getPresignedURL', () => { let mockGetURL; beforeEach(() => { - if (s3) { - mockGetURL = jest.spyOn(s3, 'getSignedUrl').mockImplementation(() => 'https://example.com'); - mockGetURL.mockClear(); - } + mockGetURL = s3.getSignedUrl.mockImplementation(() => 'https://example.com'); }); it('returns an error if S3 is not configured', () => { @@ -225,10 +227,7 @@ describe('s3Uploader.deleteFileFromS3', () => { let mockDeleteObject; beforeEach(() => { - if (s3) { - mockDeleteObject = jest.spyOn(s3, 'deleteObject').mockImplementation(() => ({ promise: () => Promise.resolve('good') })); - mockDeleteObject.mockClear(); - } + mockDeleteObject = s3.deleteObject.mockImplementation(() => ({ promise: () => Promise.resolve('good') })); }); it('throws an error if S3 is not configured', async () => { @@ -258,14 +257,23 @@ describe('s3Uploader.deleteFileFromS3Job', () => { let mockDeleteObject; beforeEach(() => { - if (s3) { - mockDeleteObject = jest.spyOn(s3, 'deleteObject').mockImplementation(() => ({ promise: () => Promise.resolve({ status: 200, data: {} }) })); - mockDeleteObject.mockClear(); - } + mockDeleteObject = s3.deleteObject.mockImplementation(() => ({ + promise: () => Promise.resolve({ status: 200, data: {} }), + })); }); - it('throws an error if S3 is not configured', async () => { - await expect(deleteFileFromS3Job({ data: { fileId: 1, fileKey: Key, bucket: Bucket } }, null)).rejects.toThrow('S3 is not configured.'); + it('returns a 500 status with error data if S3 is not configured', async () => { + const expectedOutput = { + data: { bucket: 'fakeBucket', fileId: 1, fileKey: 'fakeKey' }, + res: undefined, + status: 500, + }; + + const job = { data: { fileId: 1, fileKey: 'fakeKey', bucket: 'fakeBucket' } }; + // Pass null for s3Client to simulate S3 not being configured + const got = await deleteFileFromS3Job(job, null); + + expect(got).toStrictEqual(expectedOutput); }); it('calls deleteFileFromS3Job() with correct parameters', async () => { From c44f86c8daa1744f9d2d82bb058631f477566a1d Mon Sep 17 00:00:00 2001 From: GarrettEHill Date: Wed, 28 Aug 2024 11:45:32 -0700 Subject: [PATCH 087/138] try to get the right configuration to get enough memory --- automation/dynamic-manifest.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/automation/dynamic-manifest.yml b/automation/dynamic-manifest.yml index cc137e4a6e..b94a30f7ca 100644 --- a/automation/dynamic-manifest.yml +++ b/automation/dynamic-manifest.yml @@ -12,7 +12,7 @@ applications: command: ((command)) services: ((bound_services)) processes: - - type: worker + - type: web instances: ((instances)) command: ((command)) memory: ((memory)) From 932051f79d0fea4b90e565840b5233c325f82ae5 Mon Sep 17 00:00:00 2001 From: GarrettEHill Date: Wed, 28 Aug 2024 13:41:21 -0700 Subject: [PATCH 088/138] memory needs to be passed into run-task for it to not use the default --- .circleci/config.yml | 2 +- automation/ci/scripts/cf_lambda.sh | 25 +++++++++++++++++++++---- 2 files changed, 22 insertions(+), 5 deletions(-) diff --git a/.circleci/config.yml b/.circleci/config.yml index e9082e59c6..ebd0abdad0 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -418,7 +418,7 @@ commands: sudo apt-get update # Install uuid-runtime to have access to uuidgen # Install pv wget - sudo apt-get install -y pv uuid-runtime wget coreutils jq + sudo apt-get install -y pv uuid-runtime wget coreutils jq yq # Install Cloud Foundry CLI wget -q -O - https://packages.cloudfoundry.org/debian/cli.cloudfoundry.org.key | sudo apt-key add - diff --git a/automation/ci/scripts/cf_lambda.sh b/automation/ci/scripts/cf_lambda.sh index cac3da1c01..3b43dbdbea 100644 --- a/automation/ci/scripts/cf_lambda.sh +++ b/automation/ci/scripts/cf_lambda.sh @@ -386,6 +386,16 @@ function push_app { exit 1 fi + # Extract memory value from config file + local memory + memory=$(yq eval '.memory' "$config_file") + + if [ -z "$memory" ]; then + log "ERROR" "Memory value not found in config file $config_file" + cd "$original_dir" + exit 1 + fi + # Unbind services and push the app unbind_all_services @@ -401,6 +411,9 @@ function push_app { # Restore original directory cd "$original_dir" + + # Return the memory value to be used in the run_task function + echo "$memory" } # Function to start an app @@ -464,18 +477,20 @@ function run_task { local task_name=$1 local command=$2 local args_json=$3 + local memory=$4 # New parameter for memory validate_parameters "$command" validate_parameters "$task_name" validate_parameters "$args_json" + validate_parameters "$memory" # Convert JSON array to space-separated list of arguments local args=$(echo "$args_json" | jq -r '.[]' | sed 's/\(.*\)/"\1"/' | tr '\n' ' ' | sed 's/ $/\n/') - log "INFO" "Running task: $task_name with args: $args" + log "INFO" "Running task: $task_name with args: $args and memory: $memory" local full_command="$command $args" - cf run-task "$app_name" --command "$full_command" --name "$task_name" + cf run-task "$app_name" --command "$full_command" --name "$task_name" --memory "$memory" local result=$? if [ $result -ne 0 ]; then log "ERROR" "Failed to start task $task_name with error code $result" @@ -593,10 +608,11 @@ main() { fi fi - push_app "$directory" "$config" + # Get memory value from push_app + memory=$(push_app "$directory" "$config") start_app - if run_task "$task_name" "$command" "$args" && monitor_task "$task_name" $timeout_active_tasks; then + if run_task "$task_name" "$command" "$args" "$memory" && monitor_task "$task_name" $timeout_active_tasks; then log "INFO" "Task execution succeeded." else log "ERROR" "Task execution failed." @@ -610,4 +626,5 @@ main() { # delete_app "tta-automation" } + main "$@" From 676b902d06c3c90f164f51c1b577a2b6fe9f98fa Mon Sep 17 00:00:00 2001 From: GarrettEHill Date: Wed, 28 Aug 2024 16:01:50 -0700 Subject: [PATCH 089/138] yq not available --- .circleci/config.yml | 2 +- automation/ci/scripts/cf_lambda.sh | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/.circleci/config.yml b/.circleci/config.yml index ebd0abdad0..e9082e59c6 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -418,7 +418,7 @@ commands: sudo apt-get update # Install uuid-runtime to have access to uuidgen # Install pv wget - sudo apt-get install -y pv uuid-runtime wget coreutils jq yq + sudo apt-get install -y pv uuid-runtime wget coreutils jq # Install Cloud Foundry CLI wget -q -O - https://packages.cloudfoundry.org/debian/cli.cloudfoundry.org.key | sudo apt-key add - diff --git a/automation/ci/scripts/cf_lambda.sh b/automation/ci/scripts/cf_lambda.sh index 3b43dbdbea..50d0d0d27d 100644 --- a/automation/ci/scripts/cf_lambda.sh +++ b/automation/ci/scripts/cf_lambda.sh @@ -386,9 +386,9 @@ function push_app { exit 1 fi - # Extract memory value from config file + # Extract memory value from config file using awk local memory - memory=$(yq eval '.memory' "$config_file") + memory=$(awk '/memory:/ {print $2}' "$config_file") if [ -z "$memory" ]; then log "ERROR" "Memory value not found in config file $config_file" From a44ccff818d01f0f7e16833a5aed1b0418f8006a Mon Sep 17 00:00:00 2001 From: GarrettEHill Date: Wed, 28 Aug 2024 17:11:46 -0700 Subject: [PATCH 090/138] Update cf_lambda.sh --- automation/ci/scripts/cf_lambda.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/automation/ci/scripts/cf_lambda.sh b/automation/ci/scripts/cf_lambda.sh index 50d0d0d27d..20f9612ac7 100644 --- a/automation/ci/scripts/cf_lambda.sh +++ b/automation/ci/scripts/cf_lambda.sh @@ -490,7 +490,7 @@ function run_task { log "INFO" "Running task: $task_name with args: $args and memory: $memory" local full_command="$command $args" - cf run-task "$app_name" --command "$full_command" --name "$task_name" --memory "$memory" + cf run-task "$app_name" --command "$full_command" --name "$task_name" -m "$memory" local result=$? if [ $result -ne 0 ]; then log "ERROR" "Failed to start task $task_name with error code $result" From 3cf44fae081a95501f3000cf477659e0bda6c30a Mon Sep 17 00:00:00 2001 From: GarrettEHill Date: Wed, 28 Aug 2024 17:28:15 -0700 Subject: [PATCH 091/138] Update cf_lambda.sh --- automation/ci/scripts/cf_lambda.sh | 3 +++ 1 file changed, 3 insertions(+) diff --git a/automation/ci/scripts/cf_lambda.sh b/automation/ci/scripts/cf_lambda.sh index 20f9612ac7..c9e8afbc24 100644 --- a/automation/ci/scripts/cf_lambda.sh +++ b/automation/ci/scripts/cf_lambda.sh @@ -484,6 +484,9 @@ function run_task { validate_parameters "$args_json" validate_parameters "$memory" + # Convert memory from GB to G if necessary + memory=$(echo "$memory" | sed 's/GB/G/') + # Convert JSON array to space-separated list of arguments local args=$(echo "$args_json" | jq -r '.[]' | sed 's/\(.*\)/"\1"/' | tr '\n' ' ' | sed 's/ $/\n/') From 3cc3921708e2820ce0f464536f3f2fa33982dcb5 Mon Sep 17 00:00:00 2001 From: GarrettEHill Date: Wed, 28 Aug 2024 23:09:17 -0700 Subject: [PATCH 092/138] try to clean up the app more for each use --- automation/ci/scripts/cf_lambda.sh | 23 +++++++++++++++++++++++ automation/dynamic-manifest.yml | 11 +++-------- 2 files changed, 26 insertions(+), 8 deletions(-) diff --git a/automation/ci/scripts/cf_lambda.sh b/automation/ci/scripts/cf_lambda.sh index c9e8afbc24..37e758d221 100644 --- a/automation/ci/scripts/cf_lambda.sh +++ b/automation/ci/scripts/cf_lambda.sh @@ -360,6 +360,7 @@ function unbind_all_services() { # Push the app using a manifest from a specific directory function push_app { + local app_name="tta-automation" local original_dir=$(pwd) # Save the original directory local directory=$1 local config=$2 @@ -399,6 +400,28 @@ function push_app { # Unbind services and push the app unbind_all_services + # Scale down all processes to zero + for process in $(cf app $app_name --guid | jq -r '.process_types[]'); do + if ! cf scale $app_name -i 0 -p "$process" 2>&1; then + log "ERROR" "Failed to scale down process: $process" + cd "$original_dir" + exit 1 + else + log "INFO" "Scaled down process: $process." + fi + done + + # Delete all processes + for process in $(cf app $app_name --guid | jq -r '.process_types[]'); do + if ! cf delete-process $app_name "$process" -f 2>&1; then + log "ERROR" "Failed to delete process: $process" + cd "$original_dir" + exit 1 + else + log "INFO" "Deleted process: $process." + fi + done + # Push the app if ! cf push -f "$manifest_file" --vars-file "$config_file" --no-route --no-start 2>&1; then log "ERROR" "Failed to push application" diff --git a/automation/dynamic-manifest.yml b/automation/dynamic-manifest.yml index b94a30f7ca..89f0358152 100644 --- a/automation/dynamic-manifest.yml +++ b/automation/dynamic-manifest.yml @@ -3,16 +3,11 @@ applications: - name: tta-automation stack: cflinuxfs4 health-check-type: process - # memory: ((memory)) - # disk_quota: ((disk_quota)) - # instances: ((instances)) + memory: ((memory)) + disk_quota: ((disk_quota)) + instances: ((instances)) no-route: true buildpacks: - ((buildpack)) command: ((command)) services: ((bound_services)) - processes: - - type: web - instances: ((instances)) - command: ((command)) - memory: ((memory)) From f6ae6297b8281714def9559699d990f0fc4f7ff1 Mon Sep 17 00:00:00 2001 From: GarrettEHill Date: Wed, 28 Aug 2024 23:55:17 -0700 Subject: [PATCH 093/138] move where the memory is parsed out --- automation/ci/scripts/cf_lambda.sh | 42 ++++++++++++++++-------------- 1 file changed, 23 insertions(+), 19 deletions(-) diff --git a/automation/ci/scripts/cf_lambda.sh b/automation/ci/scripts/cf_lambda.sh index 37e758d221..85deefbf3f 100644 --- a/automation/ci/scripts/cf_lambda.sh +++ b/automation/ci/scripts/cf_lambda.sh @@ -387,16 +387,6 @@ function push_app { exit 1 fi - # Extract memory value from config file using awk - local memory - memory=$(awk '/memory:/ {print $2}' "$config_file") - - if [ -z "$memory" ]; then - log "ERROR" "Memory value not found in config file $config_file" - cd "$original_dir" - exit 1 - fi - # Unbind services and push the app unbind_all_services @@ -434,9 +424,6 @@ function push_app { # Restore original directory cd "$original_dir" - - # Return the memory value to be used in the run_task function - echo "$memory" } # Function to start an app @@ -500,12 +487,29 @@ function run_task { local task_name=$1 local command=$2 local args_json=$3 - local memory=$4 # New parameter for memory + local config=$4 # New parameter for config validate_parameters "$command" validate_parameters "$task_name" validate_parameters "$args_json" - validate_parameters "$memory" + validate_parameters "$config" + + # Load the environment from the config file relative to the manifest directory + local config_file="./automation/configs/${config}.yml" + + if [ ! -f "$config_file" ]; then + log "ERROR" "Config file $config_file not found" + exit 1 + fi + + # Extract memory value from config file using awk + local memory + memory=$(awk '/memory:/ {print $2}' "$config_file") + + if [ -z "$memory" ]; then + log "ERROR" "Memory value not found in config file $config_file" + exit 1 + fi # Convert memory from GB to G if necessary memory=$(echo "$memory" | sed 's/GB/G/') @@ -513,7 +517,6 @@ function run_task { # Convert JSON array to space-separated list of arguments local args=$(echo "$args_json" | jq -r '.[]' | sed 's/\(.*\)/"\1"/' | tr '\n' ' ' | sed 's/ $/\n/') - log "INFO" "Running task: $task_name with args: $args and memory: $memory" local full_command="$command $args" cf run-task "$app_name" --command "$full_command" --name "$task_name" -m "$memory" @@ -634,11 +637,12 @@ main() { fi fi - # Get memory value from push_app - memory=$(push_app "$directory" "$config") + # Push the app without returning memory + push_app "$directory" "$config" start_app - if run_task "$task_name" "$command" "$args" "$memory" && monitor_task "$task_name" $timeout_active_tasks; then + # Pass the config to run_task instead of memory + if run_task "$task_name" "$command" "$args" "$config" && monitor_task "$task_name" $timeout_active_tasks; then log "INFO" "Task execution succeeded." else log "ERROR" "Task execution failed." From c2573efd3328ef06a1f3dd6581d224f6ff4865c3 Mon Sep 17 00:00:00 2001 From: GarrettEHill Date: Thu, 29 Aug 2024 11:46:14 -0700 Subject: [PATCH 094/138] refresh log monitoring if it gets disconnected --- .circleci/config.yml | 22 ++++++++++++++++------ 1 file changed, 16 insertions(+), 6 deletions(-) diff --git a/.circleci/config.yml b/.circleci/config.yml index e9082e59c6..cc65573b46 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -454,18 +454,28 @@ commands: name: Start Log Monitoring command: | #!/bin/bash + CONTROL_FILE="/tmp/stop_tail" rm -f $CONTROL_FILE - # Start tailing logs - cf logs tta-automation & + # Function to start tailing logs + start_log_tailing() { + echo "Starting cf logs for tta-automation..." + cf logs tta-automation & + TAIL_PID=$! + } - # Get the PID of the cf logs command - TAIL_PID=$! + # Start tailing logs for the first time + start_log_tailing - # Wait for the control file to be created + # Monitor the cf logs process while [ ! -f $CONTROL_FILE ]; do - sleep 1 + # Check if the cf logs process is still running + if ! kill -0 $TAIL_PID 2>/dev/null; then + echo "cf logs command has stopped unexpectedly. Restarting..." + start_log_tailing + fi + sleep 1 done # Kill the cf logs command From 608924911b1c880f944c3aaab8e693ca3f7a5893 Mon Sep 17 00:00:00 2001 From: GarrettEHill Date: Thu, 29 Aug 2024 13:18:55 -0700 Subject: [PATCH 095/138] correct the path --- automation/configs/process-backup.yml | 2 +- automation/configs/process-restore.yml | 2 +- automation/configs/process.yml | 2 +- automation/configs/production-backup.yml | 2 +- automation/configs/production-restore.yml | 2 +- 5 files changed, 5 insertions(+), 5 deletions(-) diff --git a/automation/configs/process-backup.yml b/automation/configs/process-backup.yml index 5f58a7afc8..ac927c4ebe 100644 --- a/automation/configs/process-backup.yml +++ b/automation/configs/process-backup.yml @@ -3,7 +3,7 @@ memory: 32M disk_quota: 64M buildpack: "binary_buildpack" -command: "./cf/scripts/idol.sh" +command: "./app/cf/scripts/idol.sh" bound_services: - ttahub-process diff --git a/automation/configs/process-restore.yml b/automation/configs/process-restore.yml index 644686c3a9..c692df8621 100644 --- a/automation/configs/process-restore.yml +++ b/automation/configs/process-restore.yml @@ -3,7 +3,7 @@ memory: 32M disk_quota: 64M buildpack: "binary_buildpack" -command: "./cf/scripts/idol.sh" +command: "./app/cf/scripts/idol.sh" bound_services: - ttahub-db-backups diff --git a/automation/configs/process.yml b/automation/configs/process.yml index 3300f0c281..92e632b8f3 100644 --- a/automation/configs/process.yml +++ b/automation/configs/process.yml @@ -3,7 +3,7 @@ memory: 2GB disk_quota: 1GB buildpack: "https://github.com/cloudfoundry/nodejs-buildpack" -command: "./automation/cf/scripts/idol.sh" +command: "./app/automation/cf/scripts/idol.sh" bound_services: - ttahub-process diff --git a/automation/configs/production-backup.yml b/automation/configs/production-backup.yml index 8e19a6c61e..74c9b642c0 100644 --- a/automation/configs/production-backup.yml +++ b/automation/configs/production-backup.yml @@ -3,7 +3,7 @@ memory: 32M disk_quota: 64M buildpack: "binary_buildpack" -command: "./cf/scripts/idol.sh" +command: "./app/cf/scripts/idol.sh" bound_services: - ttahub-prod diff --git a/automation/configs/production-restore.yml b/automation/configs/production-restore.yml index 97437857ab..0246285e80 100644 --- a/automation/configs/production-restore.yml +++ b/automation/configs/production-restore.yml @@ -3,7 +3,7 @@ memory: 32M disk_quota: 64M buildpack: "binary_buildpack" -command: "./cf/scripts/idol.sh" +command: "./app/cf/scripts/idol.sh" bound_services: - ttahub-db-backups From ed3806b96b2ed0642acabb5146eaa0bb113cadc7 Mon Sep 17 00:00:00 2001 From: GarrettEHill Date: Thu, 29 Aug 2024 13:32:04 -0700 Subject: [PATCH 096/138] revert that last change --- automation/configs/process-backup.yml | 2 +- automation/configs/process-restore.yml | 2 +- automation/configs/process.yml | 2 +- automation/configs/production-backup.yml | 2 +- automation/configs/production-restore.yml | 2 +- 5 files changed, 5 insertions(+), 5 deletions(-) diff --git a/automation/configs/process-backup.yml b/automation/configs/process-backup.yml index ac927c4ebe..5f58a7afc8 100644 --- a/automation/configs/process-backup.yml +++ b/automation/configs/process-backup.yml @@ -3,7 +3,7 @@ memory: 32M disk_quota: 64M buildpack: "binary_buildpack" -command: "./app/cf/scripts/idol.sh" +command: "./cf/scripts/idol.sh" bound_services: - ttahub-process diff --git a/automation/configs/process-restore.yml b/automation/configs/process-restore.yml index c692df8621..644686c3a9 100644 --- a/automation/configs/process-restore.yml +++ b/automation/configs/process-restore.yml @@ -3,7 +3,7 @@ memory: 32M disk_quota: 64M buildpack: "binary_buildpack" -command: "./app/cf/scripts/idol.sh" +command: "./cf/scripts/idol.sh" bound_services: - ttahub-db-backups diff --git a/automation/configs/process.yml b/automation/configs/process.yml index 92e632b8f3..3300f0c281 100644 --- a/automation/configs/process.yml +++ b/automation/configs/process.yml @@ -3,7 +3,7 @@ memory: 2GB disk_quota: 1GB buildpack: "https://github.com/cloudfoundry/nodejs-buildpack" -command: "./app/automation/cf/scripts/idol.sh" +command: "./automation/cf/scripts/idol.sh" bound_services: - ttahub-process diff --git a/automation/configs/production-backup.yml b/automation/configs/production-backup.yml index 74c9b642c0..8e19a6c61e 100644 --- a/automation/configs/production-backup.yml +++ b/automation/configs/production-backup.yml @@ -3,7 +3,7 @@ memory: 32M disk_quota: 64M buildpack: "binary_buildpack" -command: "./app/cf/scripts/idol.sh" +command: "./cf/scripts/idol.sh" bound_services: - ttahub-prod diff --git a/automation/configs/production-restore.yml b/automation/configs/production-restore.yml index 0246285e80..97437857ab 100644 --- a/automation/configs/production-restore.yml +++ b/automation/configs/production-restore.yml @@ -3,7 +3,7 @@ memory: 32M disk_quota: 64M buildpack: "binary_buildpack" -command: "./app/cf/scripts/idol.sh" +command: "./cf/scripts/idol.sh" bound_services: - ttahub-db-backups From 2ed3b6522c09ec10e0535e69acb7cea7567ba325 Mon Sep 17 00:00:00 2001 From: GarrettEHill Date: Thu, 29 Aug 2024 13:41:56 -0700 Subject: [PATCH 097/138] adjust ram --- automation/configs/process-backup.yml | 2 +- automation/configs/process-restore.yml | 2 +- automation/configs/production-backup.yml | 2 +- automation/configs/production-restore.yml | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/automation/configs/process-backup.yml b/automation/configs/process-backup.yml index 5f58a7afc8..d5a1c65562 100644 --- a/automation/configs/process-backup.yml +++ b/automation/configs/process-backup.yml @@ -1,5 +1,5 @@ instances: 1 -memory: 32M +memory: 256M disk_quota: 64M buildpack: "binary_buildpack" diff --git a/automation/configs/process-restore.yml b/automation/configs/process-restore.yml index 644686c3a9..2a222c9fb8 100644 --- a/automation/configs/process-restore.yml +++ b/automation/configs/process-restore.yml @@ -1,5 +1,5 @@ instances: 1 -memory: 32M +memory: 256M disk_quota: 64M buildpack: "binary_buildpack" diff --git a/automation/configs/production-backup.yml b/automation/configs/production-backup.yml index 8e19a6c61e..555d2c10f6 100644 --- a/automation/configs/production-backup.yml +++ b/automation/configs/production-backup.yml @@ -1,5 +1,5 @@ instances: 1 -memory: 32M +memory: 256M disk_quota: 64M buildpack: "binary_buildpack" diff --git a/automation/configs/production-restore.yml b/automation/configs/production-restore.yml index 97437857ab..013a85d195 100644 --- a/automation/configs/production-restore.yml +++ b/automation/configs/production-restore.yml @@ -1,5 +1,5 @@ instances: 1 -memory: 32M +memory: 256M disk_quota: 64M buildpack: "binary_buildpack" From 6183180f6e8cf3ee7a8e2ad239bb9b50459b5f96 Mon Sep 17 00:00:00 2001 From: GarrettEHill Date: Thu, 29 Aug 2024 15:38:28 -0700 Subject: [PATCH 098/138] increase memory --- automation/configs/process-backup.yml | 2 +- automation/configs/process-restore.yml | 2 +- automation/configs/production-backup.yml | 2 +- automation/configs/production-restore.yml | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/automation/configs/process-backup.yml b/automation/configs/process-backup.yml index d5a1c65562..de17eebd81 100644 --- a/automation/configs/process-backup.yml +++ b/automation/configs/process-backup.yml @@ -1,5 +1,5 @@ instances: 1 -memory: 256M +memory: 512M disk_quota: 64M buildpack: "binary_buildpack" diff --git a/automation/configs/process-restore.yml b/automation/configs/process-restore.yml index 2a222c9fb8..1dd649c915 100644 --- a/automation/configs/process-restore.yml +++ b/automation/configs/process-restore.yml @@ -1,5 +1,5 @@ instances: 1 -memory: 256M +memory: 512M disk_quota: 64M buildpack: "binary_buildpack" diff --git a/automation/configs/production-backup.yml b/automation/configs/production-backup.yml index 555d2c10f6..915aaeb802 100644 --- a/automation/configs/production-backup.yml +++ b/automation/configs/production-backup.yml @@ -1,5 +1,5 @@ instances: 1 -memory: 256M +memory: 512M disk_quota: 64M buildpack: "binary_buildpack" diff --git a/automation/configs/production-restore.yml b/automation/configs/production-restore.yml index 013a85d195..f102c2572a 100644 --- a/automation/configs/production-restore.yml +++ b/automation/configs/production-restore.yml @@ -1,5 +1,5 @@ instances: 1 -memory: 256M +memory: 512M disk_quota: 64M buildpack: "binary_buildpack" From b5bdaa3a47ca29f48be8d68e744a7faeffd72a58 Mon Sep 17 00:00:00 2001 From: GarrettEHill Date: Thu, 29 Aug 2024 21:47:17 -0700 Subject: [PATCH 099/138] Refactor Process data script to perform the operation more on the postgres side to reduce the memory and terminal logging --- src/tools/processData.js | 645 ++++++++++++++++++++------------------- 1 file changed, 336 insertions(+), 309 deletions(-) diff --git a/src/tools/processData.js b/src/tools/processData.js index 9dbb597b24..62c826d6fa 100644 --- a/src/tools/processData.js +++ b/src/tools/processData.js @@ -3,20 +3,11 @@ /* eslint-disable no-restricted-syntax */ /* eslint-disable no-loop-func */ /* eslint-disable no-await-in-loop */ -import { Op } from 'sequelize'; -import cheerio from 'cheerio'; import faker from '@faker-js/faker'; import { - ActivityReport, User, - Recipient, - Grant, - File, Permission, RequestErrors, - GrantNumberLink, - MonitoringReviewGrantee, - MonitoringClassSummary, sequelize, } from '../models'; @@ -36,16 +27,11 @@ const APPROVE_REPORTS = 5; let realUsers = []; let transformedUsers = []; -let transformedRecipients = []; -let realGrants = []; -let transformedGrants = []; +let realRecipients = []; const hsesUsers = [ { name: 'Adam Levin', hsesUsername: 'test.tta.adam', hsesUserId: '50783', email: 'adam.levin@adhocteam.us', }, - { - name: 'Angela Waner', hsesUsername: 'test.tta.angela', hsesUserId: '50599', email: 'angela.waner@adhocteam.us', - }, { name: 'Krys Wisnaskas', hsesUsername: 'test.tta.krys', hsesUserId: '50491', email: 'krystyna@adhocteam.us', }, @@ -61,18 +47,12 @@ const hsesUsers = [ { name: 'Maria Puhl', hsesUsername: 'test.tta.maria', hsesUserId: '51298', email: 'maria.puhl@adhocteam.us', }, - { - name: 'Patrice Pascual', hsesUsername: 'test.tta.patrice', hsesUserId: '45594', email: 'patrice.pascual@acf.hhs.gov', - }, { name: 'Nathan Powell', hsesUsername: 'test.tta.nathan', hsesUserId: '51379', email: 'nathan.powell@adhocteam.us', }, { name: 'Garrett Hill', hsesUsername: 'test.tta.garrett', hsesUserId: '51548', email: 'garrett.hill@adhocteam.us', }, - { - name: 'Adam Roux', hsesUsername: 'test.tta.adamr', hsesUserId: '52047', email: 'adam.roux@adhocteam.us', - }, { name: 'C\'era Oliveira-Norris', hsesUsername: 'test.tta.c\'era', hsesUserId: '52075', email: 'c\'era.oliveira-norris@adhocteam.us', }, @@ -82,9 +62,6 @@ const hsesUsers = [ { name: 'Jon Pyers', hsesUsername: 'test.tta.jon', hsesUserId: '52829', email: 'jon.pyers@adhocteam.us', }, - { - name: 'Abby Blue', hsesUsername: 'test.tta.abby', hsesUserId: '53043', email: 'abby.blue@adhocteam.us', - }, { name: 'Patrick Deutsch', hsesUsername: 'test.tta.patrick', hsesUserId: '53137', email: 'patrick.deutsch@adhocteam.us', }, @@ -95,43 +72,90 @@ const hsesUsers = [ const generateFakeEmail = () => 'no-send_'.concat(faker.internet.email()); -const processHtml = async (input) => { - if (!input) { - return input; - } - - const $ = cheerio.load(input); - - const getTextNodes = (elem) => (elem.type === 'text' ? [] : elem.contents().toArray() - .filter((el) => el !== undefined) - .reduce((acc, el) => acc.concat(...el.type === 'text' ? [el] : getTextNodes($(el))), [])); - - getTextNodes($('html')).map((node) => $(node).replaceWith( - $.html(node).trim() === '' // empty - ? faker.random.words(0) - : faker.random.words($.html(node).split(' ').length), - )); - - return cheerio.load($.html(), null, false).html(); // html minus the html, head and body tags -}; - -export const convertEmails = (emails) => { - if (!emails) { - return emails; - } - const emailsArray = emails.split(', '); - const convertedEmails = emailsArray.map((email) => { - const foundUser = realUsers.find((user) => user.email === email); - const userId = foundUser ? foundUser.id : null; - if (userId) { - const foundTransformedUser = transformedUsers.find((user) => user.id === userId); - return foundTransformedUser ? foundTransformedUser.email : ''; - } - return emails.includes('@') ? generateFakeEmail() : ''; - }); +// chr(92) represents the backslash (\) character in ASCII. This prevents JavaScript from +// interfering with the escape sequences in your SQL regular expression when you pass the +// query as a string in sequelize.query. +const processHtmlCreate = async () => sequelize.query(/* sql */` + CREATE OR REPLACE FUNCTION "processHtml"(input TEXT) RETURNS TEXT LANGUAGE plpgsql AS $$ + DECLARE + result TEXT; + new_word TEXT; + BEGIN + IF input IS NULL OR input = '' THEN + RETURN input; + END IF; + + -- Replace each word with a random word + result := regexp_replace( + input, + chr(92) || 'w+', + ( + SELECT string_agg(word, ' ') + FROM ( + SELECT (ARRAY['Lorem', 'ipsum', 'dolor', 'sit', 'amet', 'consectetur'])[floor(random() * 6 + 1)::int] AS word + FROM generate_series(1, regexp_count(input, chr(92) || 'w+')) + ) AS subquery + ), + 'g' + ); - return convertedEmails.join(', '); -}; + RETURN result; + END $$; +`); + +const processHtmlDrop = async () => sequelize.query(/* sql */` + DROP FUNCTION IF EXISTS "processHtml"(TEXT); +`); + +const convertEmailsCreate = async () => sequelize.query(/* sql */` + CREATE OR REPLACE FUNCTION "convertEmails"(emails TEXT) RETURNS TEXT LANGUAGE plpgsql AS $$ + DECLARE + emails_array TEXT[]; + converted_emails TEXT[]; + email TEXT; + converted_email TEXT; + BEGIN + IF emails IS NULL OR emails = '' THEN + RETURN emails; + END IF; + + -- Split the emails string into an array + emails_array := string_to_array(emails, ', '); + + -- Initialize the array for converted emails + converted_emails := ARRAY[]::TEXT[]; + + -- Iterate through each email + FOREACH email IN ARRAY emails_array LOOP + -- Perform the conversion using the provided SQL logic + SELECT zu.new_row_data ->> 'email' + INTO converted_email + FROM "ZALUsers" zu + WHERE zu.old_row_data ->> 'email' = email + AND zu.dml_timestamp >= NOW() - INTERVAL '30 minutes' + AND zu.dml_txid = lpad(txid_current()::text, 32, '0')::uuid; + + -- If the email was found and converted, add it to the array + IF converted_email IS NOT NULL AND converted_email <> '' THEN + converted_emails := array_append(converted_emails, converted_email); + ELSE + -- If the email wasn't converted, generate a fake email or leave it empty + IF email LIKE '%@%' THEN + converted_emails := array_append(converted_emails, generate_fake_email()); + ELSE + converted_emails := array_append(converted_emails, ''); + END IF; + END IF; + END LOOP; + + -- Return the converted emails as a string + RETURN array_to_string(converted_emails, ', '); + END $$; +`); + +const convertEmailsDrop = async () => sequelize.query(/* sql */` + DROP FUNCTION IF EXISTS "convertEmails"(TEXT); +`); export const convertName = (name, email) => { if (!name) { @@ -159,105 +183,151 @@ export const convertName = (name, email) => { return foundTransformedUser; }; -export const convertFileName = (fileName) => { - if (fileName === null) { - return fileName; - } - const extension = fileName.slice(fileName.indexOf('.')); - return `${faker.system.fileName()}${extension}`; -}; - -export const convertRecipientName = (recipientsGrants) => { - if (recipientsGrants === null) { - return recipientsGrants; - } - - const recipientGrantsArray = recipientsGrants ? recipientsGrants.split('\n') : []; - - const convertedRecipientsGrants = recipientGrantsArray.map((recipientGrant) => { - const recipientGrantArray = recipientGrant.split('|'); - const grant = recipientGrantArray.length > 1 ? recipientGrantArray[1].trim() : 'Missing Grant'; - - const foundGrant = realGrants.find((g) => g.number === grant); - // get ids of real grants and recipients; - const recipientId = foundGrant ? foundGrant.recipientId : null; - const grantId = foundGrant ? foundGrant.id : null; - // find corresponding transformed grants and recipients - const foundTransformedRecipient = transformedRecipients.find((g) => g.id === recipientId); - const foundTransformedGrant = transformedGrants.find((g) => g.id === grantId); - - const transformedRecipientName = foundTransformedRecipient ? foundTransformedRecipient.name : 'Unknown Recipient'; - const transformedGrantNumber = foundTransformedGrant ? foundTransformedGrant.number : 'UnknownGrant'; - return `${transformedRecipientName} | ${transformedGrantNumber}`; - }); - - return convertedRecipientsGrants.join('\n'); -}; +const convertRecipientNameCreate = async () => sequelize.query(/* sql */` + CREATE OR REPLACE FUNCTION "convertRecipientName"(recipients_grants TEXT) RETURNS TEXT LANGUAGE plpgsql AS $$ + DECLARE + recipient_grants_array TEXT[]; + converted_recipients_grants TEXT[]; + recipient_grant TEXT; + grant TEXT; + transformed_recipient_name TEXT; + transformed_grant_number TEXT; + BEGIN + IF recipients_grants IS NULL THEN + RETURN recipients_grants; + END IF; + + -- Split the recipientsGrants string into an array + recipient_grants_array := string_to_array(recipients_grants, chr(92) || 'n'); + + -- Initialize the array for converted recipient-grant pairs + converted_recipients_grants := ARRAY[]::TEXT[]; + + -- Iterate through each recipient-grant pair + FOREACH recipient_grant IN ARRAY recipient_grants_array LOOP + -- Extract the grant number from the pair + grant := split_part(recipient_grant, '|', 2); + + -- Remove leading and trailing whitespace + grant := trim(grant); + + -- Perform the conversion using the provided SQL logic + SELECT zgr.new_row_data ->> 'number', r.name + INTO transformed_grant_number, transformed_recipient_name + FROM "ZALGrants" zgr + JOIN "Grants" gr ON zgr.data_id = gr.id + JOIN "Recipients" r ON gr."recipientId" = r.id + WHERE zgr.old_row_data ->> 'number' = grant + AND zgr.dml_timestamp >= NOW() - INTERVAL '30 minutes' + AND zgr.dml_txid = lpad(txid_current()::text, 32, chr(48))::uuid; -- Use chr(48) for '0' + + -- Handle cases where no match was found + IF transformed_grant_number IS NULL THEN + transformed_grant_number := 'UnknownGrant'; + END IF; + IF transformed_recipient_name IS NULL THEN + transformed_recipient_name := 'Unknown Recipient'; + END IF; + + -- Construct the converted recipient-grant pair + converted_recipients_grants := array_append( + converted_recipients_grants, + transformed_recipient_name || ' | ' || transformed_grant_number + ); + END LOOP; + + -- Return the converted recipients-grants pairs as a string + RETURN array_to_string(converted_recipients_grants, chr(92) || 'n'); + END $$; +`); + +const convertRecipientNameDrop = async () => sequelize.query(/* sql */` + DROP FUNCTION IF EXISTS "convertRecipientName"(TEXT); +`); export const hideUsers = async (userIds) => { const ids = userIds || null; - const where = ids ? { id: ids } : {}; - // save real users - realUsers = (await User.findAll({ - attributes: ['id', 'email', 'name'], - where, - })).map((u) => u.dataValues); - - const users = await User.findAll({ - where, - }); - const promises = []; - // loop through the found users - for (const user of users) { - promises.push( - user.update({ - hsesUsername: faker.internet.email(), - email: generateFakeEmail(), - phoneNumber: faker.phone.phoneNumber(), - name: faker.name.findName(), - }, { individualHooks: true }), - ); - } + const whereClause = ids ? `WHERE "id" IN (${ids.join(', ')})` : ''; + + // Save real users + [realUsers] = await sequelize.query(/* sql */` + SELECT "id", "email", "name" + FROM "Users" + ${whereClause}; + `); + + // Generate fake data in JavaScript + const fakeData = realUsers.map((user) => ({ + id: user.id, + hsesUsername: faker.internet.email(), + email: `no-send_${faker.internet.email()}`, + phoneNumber: faker.phone.phoneNumber(), + name: faker.name.findName(), + })); + + // Convert fake data to JSON string for SQL + const fakeDataJSON = JSON.stringify(fakeData); + + // Update users using a CTE + await sequelize.query(/* sql */` + WITH fake_data AS ( + SELECT + jsonb_array_elements('${fakeDataJSON}'::jsonb) AS data + ) + UPDATE "Users" + SET + "hsesUsername" = data->>'hsesUsername', + "email" = data->>'email', + "phoneNumber" = data->>'phoneNumber', + "name" = data->>'name' + FROM fake_data + WHERE "Users"."id" = (data->>'id')::int + ${whereClause}; + `); - await Promise.all(promises); // Retrieve transformed users - transformedUsers = (await User.findAll({ - attributes: ['id', 'email', 'name'], - })).map((u) => u.dataValues); + [transformedUsers] = await sequelize.query(/* sql */` + SELECT "id", "email", "name" + FROM "Users" + ${whereClause}; + `); }; export const hideRecipientsGrants = async (recipientsGrants) => { - realGrants = (await Grant.findAll({ - attributes: ['id', 'recipientId', 'number'], - })).map((g) => g.dataValues); - - const recipientsArray = recipientsGrants ? recipientsGrants.split('\n').map((el) => el.split('|')[0].trim()) : null; - const grantsArray = (recipientsArray && recipientsArray.length > 1) ? recipientsGrants.split('\n').map((el) => el.split('|')[1].trim()) : null; + // Parse recipientsGrants input + const recipientsArray = recipientsGrants + ? recipientsGrants.split('\n').map((el) => el.split('|')[0].trim()) + : null; + const grantsArray = (recipientsArray && recipientsArray.length > 1) + ? recipientsGrants.split('\n').map((el) => el.split('|')[1].trim()) + : null; const recipientWhere = recipientsArray - ? { name: { [Op.like]: { [Op.any]: recipientsArray } } } - : {}; - const grantWhere = grantsArray ? { number: { [Op.like]: { [Op.any]: grantsArray } } } : {}; - const recipients = await Recipient.findAll({ - where: recipientWhere, - }); - - const promises = []; - const promisesMonitoring = []; - - // loop through the found reports - for (const recipient of recipients) { - promises.push( - recipient.update({ - name: faker.company.companyName(), - }, { individualHooks: true }), - ); - } - const grants = await Grant.findAll({ - where: grantWhere, - }); - - for (const grant of grants) { - // run this first + ? `WHERE "name" ILIKE ANY(ARRAY[${recipientsArray.map((r) => `'${r}'`).join(', ')}])` + : ''; + const grantWhere = grantsArray + ? `WHERE "number" ILIKE ANY(ARRAY[${grantsArray.map((g) => `'${g}'}`).join(', ')}])` + : ''; + + // Generate fake data for recipients + [realRecipients] = await sequelize.query(/* sql */` + SELECT "id", "name" + FROM "Recipients" + ${recipientWhere}; + `); + + const fakeRecipientData = realRecipients.map((recipient) => ({ + id: recipient.id, + name: faker.company.companyName(), + })); + + // Generate fake data for grants + const [grants] = await sequelize.query(/* sql */` + SELECT "id", "number", "programSpecialistName", "programSpecialistEmail", "grantSpecialistName", "grantSpecialistEmail" + FROM "Grants" + ${grantWhere}; + `); + + const fakeGrantData = grants.map((grant) => { const programSpecialist = convertName( grant.programSpecialistName, grant.programSpecialistEmail, @@ -268,63 +338,80 @@ export const hideRecipientsGrants = async (recipientsGrants) => { ); const trailingNumber = grant.id; const newGrantNumber = `0${faker.datatype.number({ min: 1, max: 9 })}${faker.animal.type()}0${trailingNumber}`; - - promises.push( - grant.update({ - number: newGrantNumber, - programSpecialistName: programSpecialist.name, - programSpecialistEmail: programSpecialist.email, - grantSpecialistName: grantSpecialist.name, - grantSpecialistEmail: grantSpecialist.email, - }, { individualHooks: true }), - ); - } - await Promise.all(promises); - const oldGrantNumbers = []; - - for (const grant of grants) { - const newGrantNumber = grant.number; - const oldGrantNumber = await GrantNumberLink.findOne({ - attributes: ['grantNumber'], - where: { grantId: grant.id, grantNumber: { [Op.ne]: grant.number } }, - }); - if (oldGrantNumber) { - oldGrantNumbers.push(oldGrantNumber.grantNumber); - // Update corresponding MonitoringReviewGrantee records - promisesMonitoring.push( - MonitoringReviewGrantee.update( - { grantNumber: newGrantNumber }, - { where: { grantNumber: oldGrantNumber.grantNumber } }, - ), - ); - // Update corresponding MonitoringClassSummary records - promisesMonitoring.push( - MonitoringClassSummary.update( - { grantNumber: newGrantNumber }, - { where: { grantNumber: oldGrantNumber.grantNumber } }, - ), - ); - } - } - - await Promise.all(promisesMonitoring); - - await GrantNumberLink.unscoped().destroy({ - where: { grantNumber: { [Op.in]: oldGrantNumbers } }, - force: true, + return { + id: grant.id, + number: newGrantNumber, + programSpecialistName: programSpecialist.name, + programSpecialistEmail: programSpecialist.email, + grantSpecialistName: grantSpecialist.name, + grantSpecialistEmail: grantSpecialist.email, + }; }); - // Retrieve transformed recipients - transformedRecipients = (await Recipient.findAll({ - attributes: ['id', 'name'], - where: { id: recipients.map((g) => g.id) }, - })).map((g) => g.dataValues); - - // Retrieve transformed grants - transformedGrants = (await Grant.findAll({ - attributes: ['id', 'number'], - where: { id: grants.map((g) => g.id) }, - })).map((g) => g.dataValues); + // Convert fake data to JSON strings for SQL + const fakeRecipientDataJSON = JSON.stringify(fakeRecipientData); + const fakeGrantDataJSON = JSON.stringify(fakeGrantData); + + // Update recipients using a CTE + await sequelize.query(/* sql */` + WITH fake_recipients AS ( + SELECT + jsonb_array_elements('${fakeRecipientDataJSON}'::jsonb) AS data + ) + UPDATE "Recipients" + SET + "name" = data->>'name' + FROM fake_recipients + WHERE "Recipients"."id" = (data->>'id')::int; + `); + + // Update grants using a CTE + await sequelize.query(/* sql */` + WITH fake_grants AS ( + SELECT + jsonb_array_elements('${fakeGrantDataJSON}'::jsonb) AS data + ) + UPDATE "Grants" + SET + "number" = data->>'number', + "programSpecialistName" = data->>'programSpecialistName', + "programSpecialistEmail" = data->>'programSpecialistEmail', + "grantSpecialistName" = data->>'grantSpecialistName', + "grantSpecialistEmail" = data->>'grantSpecialistEmail' + FROM fake_grants + WHERE "Grants"."id" = (data->>'id')::int; + `); + + // Bulk update MonitoringReviewGrantee, MonitoringClassSummary, and GrantNumberLink + await sequelize.query(/* sql */` + -- Update MonitoringReviewGrantee and MonitoringClassSummary using GrantNumberLink as a bridge: + -- This ensures that grant numbers in MonitoringReviewGrantee and MonitoringClassSummary + -- are updated based on the new grant numbers in the Grants table. + + -- 1. Update MonitoringReviewGrantee + UPDATE "MonitoringReviewGrantee" mrg + SET "grantNumber" = gr.number + FROM "GrantNumberLink" gnl + JOIN "Grants" gr ON gnl."grantId" = gr.id + AND gnl."grantNumber" != gr.number + WHERE mrg."grantNumber" = gnl."grantNumber"; + + -- 2. Update MonitoringClassSummary + UPDATE "MonitoringClassSummary" mcs + SET "grantNumber" = gr.number + FROM "GrantNumberLink" gnl + JOIN "Grants" gr ON gnl."grantId" = gr.id + AND gnl."grantNumber" != gr.number + WHERE mcs."grantNumber" = gnl."grantNumber"; + + -- 3. Update GrantNumberLink to reflect the new grant numbers + -- This ensures that the foreign key relationships remain consistent. + UPDATE "GrantNumberLink" gnl + SET "grantNumber" = gr.number + FROM "Grants" gr + WHERE gnl."grantId" = gr.id + AND gnl."grantNumber" != gr.number; + `); }; const givePermissions = (id) => { @@ -407,133 +494,73 @@ export const truncateAuditTables = async () => { } }; +export const processFiles = async () => sequelize.query(/* sql */` + UPDATE "Files" + SET "originalFileName" = + CONCAT( + SUBSTRING(md5(random()::text), 1, 8), -- Random file name + SUBSTRING("originalFileName" FROM '\\..*$') -- Original extension + ) + WHERE "originalFileName" IS NOT NULL; +`); + +export const processActivityReports = async (where) => sequelize.query(/* sql */` + UPDATE "ActivityReport" + SET + "managerNotes" = processHtml("managerNotes"), + "additionalNotes" = processHtml("additionalNotes"), + "context" = processHtml("context"), + "imported" = CASE + WHEN "imported" IS NOT NULL THEN + jsonb_set("imported", '{additionalNotesForThisActivity}', to_jsonb(processHtml("imported"->>'additionalNotesForThisActivity')), true) + || jsonb_set("imported", '{cdiGranteeName}', to_jsonb(processHtml("imported"->>'cdiGranteeName')), true) + || jsonb_set("imported", '{contextForThisActivity}', to_jsonb(processHtml("imported"->>'contextForThisActivity')), true) + || jsonb_set("imported", '{createdBy}', to_jsonb(convertEmails("imported"->>'createdBy')), true) + || jsonb_set("imported", '{granteeFollowUpTasksObjectives}', to_jsonb(processHtml("imported"->>'granteeFollowUpTasksObjectives')), true) + || jsonb_set("imported", '{granteeName}', to_jsonb(convertRecipientName("imported"->>'granteeName')), true) + || jsonb_set("imported", '{manager}', to_jsonb(convertEmails("imported"->>'manager')), true) + || jsonb_set("imported", '{modifiedBy}', to_jsonb(convertEmails("imported"->>'modifiedBy')), true) + || jsonb_set("imported", '{otherSpecialists}', to_jsonb(convertEmails("imported"->>'otherSpecialists')), true) + || jsonb_set("imported", '{specialistFollowUpTasksObjectives}', to_jsonb(processHtml("imported"->>'specialistFollowUpTasksObjectives')), true) + ELSE + "imported" + END + WHERE 1 = 1 + ${where}; +`); + const processData = async (mockReport) => sequelize.transaction(async () => { const activityReportId = mockReport ? mockReport.id : null; - const where = activityReportId ? { id: activityReportId } : {}; + const where = activityReportId ? `AND id = ${activityReportId}` : ''; const userIds = mockReport ? [3000, 3001, 3002, 3003] : null; const recipientsGrants = mockReport ? mockReport.imported.granteeName : null; - const files = await File.findAll(); - const promises = []; + await processHtmlCreate(); + await convertEmailsCreate(); + await convertRecipientNameCreate(); // Hide users await hideUsers(userIds); - if (typeof global.gc === 'function') global.gc(); - // Hide recipients and grants await hideRecipientsGrants(recipientsGrants); - if (typeof global.gc === 'function') global.gc(); + await processActivityReports(where); - const BATCH_SIZE = 100; // Define a reasonable batch size - let offset = 0; - let reports; - - // Loop through the reports in batches - do { - reports = await ActivityReport.unscoped().findAll({ - where, - limit: BATCH_SIZE, - offset, - }); - - for await (const report of reports) { - const { imported } = report; - - promises.push( - report.update({ - managerNotes: await processHtml(report.managerNotes), - additionalNotes: await processHtml(report.additionalNotes), - context: await processHtml(report.context), - }, { individualHooks: true }), - ); - - if (imported) { - const newImported = { - additionalNotesForThisActivity: await processHtml( - imported.additionalNotesForThisActivity, - ), - cdiGranteeName: await processHtml(imported.cdiGranteeName), - contextForThisActivity: await processHtml( - imported.contextForThisActivity, - ), - created: imported.created, - createdBy: convertEmails(imported.createdBy), - duration: imported.duration, - endDate: imported.endDate, - format: imported.format, - goal1: imported.goal1, - goal2: imported.goal2, - granteeFollowUpTasksObjectives: await processHtml( - imported.granteeFollowUpTasksObjectives, - ), - granteeName: convertRecipientName(imported.granteeName), - granteeParticipants: imported.granteeParticipants, - granteesLearningLevelGoal1: imported.granteesLearningLevelGoal1, - granteesLearningLevelGoal2: imported.granteesLearningLevelGoal2, - manager: convertEmails(imported.manager), - modified: imported.modified, - modifiedBy: convertEmails(imported.modifiedBy), - multiGranteeActivities: imported.multiGranteeActivities, - nonGranteeActivity: imported.nonGranteeActivity, - nonGranteeParticipants: imported.nonGranteeParticipants, - nonOhsResources: imported.nonOhsResources, - numberOfParticipants: imported.numberOfParticipants, - objective11: imported.objective11, - objective11Status: imported.objective11Status, - objective12: imported.objective12, - objective12Status: imported.objective12Status, - objective21: imported.objective21, - objective21Status: imported.objective21Status, - objective22: imported.objective22, - objective22Status: imported.objective22Status, - otherSpecialists: convertEmails(imported.otherSpecialists), - otherTopics: imported.otherTopics, - programType: imported.programType, - reasons: imported.reasons, - reportId: imported.reportId, - resourcesUsed: imported.resourcesUsed, - sourceOfRequest: imported.sourceOfRequest, - specialistFollowUpTasksObjectives: await processHtml( - imported.specialistFollowUpTasksObjectives, - ), - startDate: imported.startDate, - tTa: imported.tTa, - targetPopulations: imported.targetPopulations, - topics: imported.topics, - ttaProvidedAndGranteeProgressMade: imported.ttaProvidedAndGranteeProgressMade, - }; - promises.push(report.update({ imported: newImported }, { individualHooks: true })); - } - } - - offset += BATCH_SIZE; - - // After processing each batch, trigger garbage collection - if (typeof global.gc === 'function') global.gc(); - } while (reports.length === BATCH_SIZE); - - for (const file of files) { - promises.push( - file.update({ - originalFileName: convertFileName(file.originalFileName), - }, { individualHooks: true }), - ); - } + await processFiles(); await bootstrapUsers(); - if (typeof global.gc === 'function') global.gc(); - // Delete from RequestErrors await RequestErrors.destroy({ where: {}, truncate: true, }); - await Promise.all(promises); + await processHtmlDrop(); + await convertEmailsDrop(); + await convertRecipientNameDrop(); return truncateAuditTables(); }); From e8ecdc6ba222dd4051fdf96272a05250cdac7cfc Mon Sep 17 00:00:00 2001 From: GarrettEHill Date: Fri, 30 Aug 2024 08:29:55 -0700 Subject: [PATCH 100/138] corrections for refactor --- package.json | 2 +- src/tools/processData.js | 138 ++++++++++++++++++++++++++------------- 2 files changed, 94 insertions(+), 46 deletions(-) diff --git a/package.json b/package.json index aa0bf1a3b5..531c14079e 100644 --- a/package.json +++ b/package.json @@ -86,7 +86,7 @@ "import:system": "cross-env POSTGRES_USERNAME=postgres POSTGRES_DB=ttasmarthub tsx src/tools/importSystemCLI.ts", "reconcile:legacy": "node ./build/server/src/tools/reconcileLegacyReports.js", "reconcile:legacy:local": "./node_modules/.bin/babel-node ./src/tools/reconcileLegacyReports.js", - "processData:local": "./node_modules/.bin/babel-node ./src/tools/processDataCLI.js", + "processData:local": "tsx ./src/tools/processDataCLI.js", "ldm:ci": "cross-env POSTGRES_USERNAME=postgres POSTGRES_DB=ttasmarthub tsx ./src/tools/logicalDataModelCLI.ts", "ldm": "tsx ./src/tools/logicalDataModelCLI.ts", "changeReportStatus": "node ./build/server/src/tools/changeReportStatusCLI.js", diff --git a/src/tools/processData.js b/src/tools/processData.js index 62c826d6fa..c8a271fd29 100644 --- a/src/tools/processData.js +++ b/src/tools/processData.js @@ -114,6 +114,7 @@ const convertEmailsCreate = async () => sequelize.query(/* sql */` converted_emails TEXT[]; email TEXT; converted_email TEXT; + domain TEXT; BEGIN IF emails IS NULL OR emails = '' THEN RETURN emails; @@ -139,9 +140,24 @@ const convertEmailsCreate = async () => sequelize.query(/* sql */` IF converted_email IS NOT NULL AND converted_email <> '' THEN converted_emails := array_append(converted_emails, converted_email); ELSE - -- If the email wasn't converted, generate a fake email or leave it empty + -- Generate a fake email if the email wasn't converted IF email LIKE '%@%' THEN - converted_emails := array_append(converted_emails, generate_fake_email()); + -- Extract domain from the email + domain := SPLIT_PART(email, '@', 2); + + -- Generate the fake email using md5 of the original username + converted_email := 'no-send_' || md5(SPLIT_PART(email, '@', 1)) || '@' || ( + SELECT email_domain FROM ( + SELECT SPLIT_PART(e.email, '@', 2) AS email_domain + FROM "Users" e + WHERE NULLIF(TRIM(SPLIT_PART(e.email, '@', 2)), '') IS NOT NULL + ORDER BY RANDOM() + LIMIT 1 + ) AS random_domain + ); + + -- Add the fake email to the array + converted_emails := array_append(converted_emails, converted_email); ELSE converted_emails := array_append(converted_emails, ''); END IF; @@ -189,7 +205,7 @@ const convertRecipientNameCreate = async () => sequelize.query(/* sql */` recipient_grants_array TEXT[]; converted_recipients_grants TEXT[]; recipient_grant TEXT; - grant TEXT; + grant_number TEXT; -- Renamed from 'grant' to 'grant_number' transformed_recipient_name TEXT; transformed_grant_number TEXT; BEGIN @@ -206,10 +222,10 @@ const convertRecipientNameCreate = async () => sequelize.query(/* sql */` -- Iterate through each recipient-grant pair FOREACH recipient_grant IN ARRAY recipient_grants_array LOOP -- Extract the grant number from the pair - grant := split_part(recipient_grant, '|', 2); + grant_number := split_part(recipient_grant, '|', 2); -- Remove leading and trailing whitespace - grant := trim(grant); + grant_number := trim(grant_number); -- Perform the conversion using the provided SQL logic SELECT zgr.new_row_data ->> 'number', r.name @@ -217,7 +233,7 @@ const convertRecipientNameCreate = async () => sequelize.query(/* sql */` FROM "ZALGrants" zgr JOIN "Grants" gr ON zgr.data_id = gr.id JOIN "Recipients" r ON gr."recipientId" = r.id - WHERE zgr.old_row_data ->> 'number' = grant + WHERE zgr.old_row_data ->> 'number' = grant_number AND zgr.dml_timestamp >= NOW() - INTERVAL '30 minutes' AND zgr.dml_txid = lpad(txid_current()::text, 32, chr(48))::uuid; -- Use chr(48) for '0' @@ -256,23 +272,42 @@ export const hideUsers = async (userIds) => { ${whereClause}; `); - // Generate fake data in JavaScript - const fakeData = realUsers.map((user) => ({ - id: user.id, - hsesUsername: faker.internet.email(), - email: `no-send_${faker.internet.email()}`, - phoneNumber: faker.phone.phoneNumber(), - name: faker.name.findName(), - })); + const usedHsesUsernames = new Set(); + const usedEmails = new Set(); + + const fakeData = realUsers.map((user) => { + let hsesUsername; + let email; + + // Ensure hsesUsername is unique + do { + hsesUsername = faker.internet.email(); + } while (usedHsesUsernames.has(hsesUsername)); + usedHsesUsernames.add(hsesUsername); + + // Ensure email is unique + do { + email = `no-send_${faker.internet.email()}`; + } while (usedEmails.has(email)); + usedEmails.add(email); - // Convert fake data to JSON string for SQL - const fakeDataJSON = JSON.stringify(fakeData); + return { + id: user.id, + hsesUsername, + email, + phoneNumber: faker.phone.phoneNumber(), + name: faker.name.findName().replace(/'/g, ''), + }; + }); + + // // Convert fake data to JSON string for SQL + // const fakeDataJSON = JSON.stringify(fakeData); // Update users using a CTE await sequelize.query(/* sql */` WITH fake_data AS ( SELECT - jsonb_array_elements('${fakeDataJSON}'::jsonb) AS data + jsonb_array_elements(:fakeDataJSON::jsonb) AS data ) UPDATE "Users" SET @@ -283,7 +318,9 @@ export const hideUsers = async (userIds) => { FROM fake_data WHERE "Users"."id" = (data->>'id')::int ${whereClause}; - `); + `, { + replacements: { fakeDataJSON: JSON.stringify(fakeData) }, + }); // Retrieve transformed users [transformedUsers] = await sequelize.query(/* sql */` @@ -317,7 +354,7 @@ export const hideRecipientsGrants = async (recipientsGrants) => { const fakeRecipientData = realRecipients.map((recipient) => ({ id: recipient.id, - name: faker.company.companyName(), + name: faker.company.companyName().replace(/'/g, ''), })); // Generate fake data for grants @@ -384,33 +421,44 @@ export const hideRecipientsGrants = async (recipientsGrants) => { // Bulk update MonitoringReviewGrantee, MonitoringClassSummary, and GrantNumberLink await sequelize.query(/* sql */` - -- Update MonitoringReviewGrantee and MonitoringClassSummary using GrantNumberLink as a bridge: - -- This ensures that grant numbers in MonitoringReviewGrantee and MonitoringClassSummary - -- are updated based on the new grant numbers in the Grants table. + -- 1. Disable the foreign key constraints + ALTER TABLE "MonitoringReviewGrantees" DROP CONSTRAINT "MonitoringReviewGrantees_grantNumber_fkey"; + ALTER TABLE "MonitoringClassSummaries" DROP CONSTRAINT "MonitoringClassSummaries_grantNumber_fkey"; - -- 1. Update MonitoringReviewGrantee - UPDATE "MonitoringReviewGrantee" mrg + -- 2. Perform the data modifications + -- Update MonitoringReviewGrantee + UPDATE "MonitoringReviewGrantees" mrg SET "grantNumber" = gr.number - FROM "GrantNumberLink" gnl + FROM "GrantNumberLinks" gnl JOIN "Grants" gr ON gnl."grantId" = gr.id AND gnl."grantNumber" != gr.number WHERE mrg."grantNumber" = gnl."grantNumber"; - -- 2. Update MonitoringClassSummary - UPDATE "MonitoringClassSummary" mcs + -- Update MonitoringClassSummary + UPDATE "MonitoringClassSummaries" mcs SET "grantNumber" = gr.number - FROM "GrantNumberLink" gnl + FROM "GrantNumberLinks" gnl JOIN "Grants" gr ON gnl."grantId" = gr.id AND gnl."grantNumber" != gr.number WHERE mcs."grantNumber" = gnl."grantNumber"; - -- 3. Update GrantNumberLink to reflect the new grant numbers - -- This ensures that the foreign key relationships remain consistent. - UPDATE "GrantNumberLink" gnl + -- Update GrantNumberLink to reflect the new grant numbers + UPDATE "GrantNumberLinks" gnl SET "grantNumber" = gr.number FROM "Grants" gr WHERE gnl."grantId" = gr.id AND gnl."grantNumber" != gr.number; + + -- 3. Re-add the foreign key constraints with NOT VALID + ALTER TABLE "MonitoringReviewGrantees" ADD CONSTRAINT "MonitoringReviewGrantees_grantNumber_fkey" + FOREIGN KEY ("grantNumber") REFERENCES "GrantNumberLinks"("grantNumber") NOT VALID; + + ALTER TABLE "MonitoringClassSummaries" ADD CONSTRAINT "MonitoringClassSummaries_grantNumber_fkey" + FOREIGN KEY ("grantNumber") REFERENCES "GrantNumberLinks"("grantNumber") NOT VALID; + + -- 4. Revalidate the foreign key constraints + ALTER TABLE "MonitoringReviewGrantees" VALIDATE CONSTRAINT "MonitoringReviewGrantees_grantNumber_fkey"; + ALTER TABLE "MonitoringClassSummaries" VALIDATE CONSTRAINT "MonitoringClassSummaries_grantNumber_fkey"; `); }; @@ -505,23 +553,23 @@ export const processFiles = async () => sequelize.query(/* sql */` `); export const processActivityReports = async (where) => sequelize.query(/* sql */` - UPDATE "ActivityReport" + UPDATE "ActivityReports" SET - "managerNotes" = processHtml("managerNotes"), - "additionalNotes" = processHtml("additionalNotes"), - "context" = processHtml("context"), + -- "managerNotes" = "processHtml"("managerNotes"), + "additionalNotes" = "processHtml"("additionalNotes"), + "context" = "processHtml"("context"), "imported" = CASE WHEN "imported" IS NOT NULL THEN - jsonb_set("imported", '{additionalNotesForThisActivity}', to_jsonb(processHtml("imported"->>'additionalNotesForThisActivity')), true) - || jsonb_set("imported", '{cdiGranteeName}', to_jsonb(processHtml("imported"->>'cdiGranteeName')), true) - || jsonb_set("imported", '{contextForThisActivity}', to_jsonb(processHtml("imported"->>'contextForThisActivity')), true) - || jsonb_set("imported", '{createdBy}', to_jsonb(convertEmails("imported"->>'createdBy')), true) - || jsonb_set("imported", '{granteeFollowUpTasksObjectives}', to_jsonb(processHtml("imported"->>'granteeFollowUpTasksObjectives')), true) - || jsonb_set("imported", '{granteeName}', to_jsonb(convertRecipientName("imported"->>'granteeName')), true) - || jsonb_set("imported", '{manager}', to_jsonb(convertEmails("imported"->>'manager')), true) - || jsonb_set("imported", '{modifiedBy}', to_jsonb(convertEmails("imported"->>'modifiedBy')), true) - || jsonb_set("imported", '{otherSpecialists}', to_jsonb(convertEmails("imported"->>'otherSpecialists')), true) - || jsonb_set("imported", '{specialistFollowUpTasksObjectives}', to_jsonb(processHtml("imported"->>'specialistFollowUpTasksObjectives')), true) + jsonb_set("imported", '{additionalNotesForThisActivity}', to_jsonb("processHtml"("imported"->>'additionalNotesForThisActivity')), true) + || jsonb_set("imported", '{cdiGranteeName}', to_jsonb("processHtml"("imported"->>'cdiGranteeName')), true) + || jsonb_set("imported", '{contextForThisActivity}', to_jsonb("processHtml"("imported"->>'contextForThisActivity')), true) + || jsonb_set("imported", '{createdBy}', to_jsonb("convertEmails"("imported"->>'createdBy')), true) + || jsonb_set("imported", '{granteeFollowUpTasksObjectives}', to_jsonb("processHtml"("imported"->>'granteeFollowUpTasksObjectives')), true) + || jsonb_set("imported", '{granteeName}', to_jsonb("convertRecipientName"("imported"->>'granteeName')), true) + || jsonb_set("imported", '{manager}', to_jsonb("convertEmails"("imported"->>'manager')), true) + || jsonb_set("imported", '{modifiedBy}', to_jsonb("convertEmails"("imported"->>'modifiedBy')), true) + || jsonb_set("imported", '{otherSpecialists}', to_jsonb("convertEmails"("imported"->>'otherSpecialists')), true) + || jsonb_set("imported", '{specialistFollowUpTasksObjectives}', to_jsonb("processHtml"("imported"->>'specialistFollowUpTasksObjectives')), true) ELSE "imported" END From 972fc60bb7aeb9b41ba61948509081cebb6728cd Mon Sep 17 00:00:00 2001 From: GarrettEHill Date: Fri, 30 Aug 2024 12:09:55 -0700 Subject: [PATCH 101/138] add comments --- automation/configs/process.yml | 2 +- src/tools/processData.js | 170 +++++++++++++++++++++------------ 2 files changed, 108 insertions(+), 64 deletions(-) diff --git a/automation/configs/process.yml b/automation/configs/process.yml index 3300f0c281..a0136917e2 100644 --- a/automation/configs/process.yml +++ b/automation/configs/process.yml @@ -1,5 +1,5 @@ instances: 1 -memory: 2GB +memory: 512 MB disk_quota: 1GB buildpack: "https://github.com/cloudfoundry/nodejs-buildpack" diff --git a/src/tools/processData.js b/src/tools/processData.js index c8a271fd29..7d31a885b2 100644 --- a/src/tools/processData.js +++ b/src/tools/processData.js @@ -3,6 +3,7 @@ /* eslint-disable no-restricted-syntax */ /* eslint-disable no-loop-func */ /* eslint-disable no-await-in-loop */ + import faker from '@faker-js/faker'; import { User, @@ -11,6 +12,7 @@ import { sequelize, } from '../models'; +// Define constants representing different permission scopes that can be assigned to users const SITE_ACCESS = 1; const ADMIN = 2; const READ_WRITE_REPORTS = 3; @@ -18,16 +20,16 @@ const READ_REPORTS = 4; const APPROVE_REPORTS = 5; /** - * processData script replaces user names, emails, recipient and grant information, - * file names as well as certain html fields with generated data while preserving - * existing relationships and non-PII data. - * - * Resulting anonymized database can then be restored in non-production environments. + * The processData script is responsible for anonymizing sensitive user data, including names, emails, recipient information, grant details, and certain HTML fields. + * This anonymization ensures that the resulting database, which can then be restored in non-production environments, preserves existing relationships and non-personally identifiable information (non-PII) data. */ +// Arrays to hold the original real user data and the transformed anonymized user data let realUsers = []; let transformedUsers = []; let realRecipients = []; + +// Predefined list of users from HSES (Head Start Enterprise System) with their details such as name, username, user ID, and email const hsesUsers = [ { name: 'Adam Levin', hsesUsername: 'test.tta.adam', hsesUserId: '50783', email: 'adam.levin@adhocteam.us', @@ -70,11 +72,14 @@ const hsesUsers = [ }, ]; +// A helper function to generate a fake email address by prefixing 'no-send_' to a randomly generated email using the faker library const generateFakeEmail = () => 'no-send_'.concat(faker.internet.email()); // chr(92) represents the backslash (\) character in ASCII. This prevents JavaScript from // interfering with the escape sequences in your SQL regular expression when you pass the // query as a string in sequelize.query. + +// Function to create a PL/pgSQL function in the PostgreSQL database that processes HTML content by replacing words with randomly generated words const processHtmlCreate = async () => sequelize.query(/* sql */` CREATE OR REPLACE FUNCTION "processHtml"(input TEXT) RETURNS TEXT LANGUAGE plpgsql AS $$ DECLARE @@ -85,10 +90,10 @@ const processHtmlCreate = async () => sequelize.query(/* sql */` RETURN input; END IF; - -- Replace each word with a random word + -- Replace each word in the input with a random word from a predefined list result := regexp_replace( input, - chr(92) || 'w+', + chr(92) || 'w+', -- Match words using a regular expression ( SELECT string_agg(word, ' ') FROM ( @@ -96,17 +101,19 @@ const processHtmlCreate = async () => sequelize.query(/* sql */` FROM generate_series(1, regexp_count(input, chr(92) || 'w+')) ) AS subquery ), - 'g' + 'g' -- Global flag to replace all occurrences ); RETURN result; END $$; `); +// Function to drop the "processHtml" function from the PostgreSQL database if it exists const processHtmlDrop = async () => sequelize.query(/* sql */` DROP FUNCTION IF EXISTS "processHtml"(TEXT); `); +// Function to create a PL/pgSQL function in the PostgreSQL database that converts email addresses by either finding a corresponding anonymized email or generating a fake one const convertEmailsCreate = async () => sequelize.query(/* sql */` CREATE OR REPLACE FUNCTION "convertEmails"(emails TEXT) RETURNS TEXT LANGUAGE plpgsql AS $$ DECLARE @@ -120,15 +127,15 @@ const convertEmailsCreate = async () => sequelize.query(/* sql */` RETURN emails; END IF; - -- Split the emails string into an array + -- Split the input emails string into an array of individual email addresses emails_array := string_to_array(emails, ', '); - -- Initialize the array for converted emails + -- Initialize the array to store the converted (anonymized) emails converted_emails := ARRAY[]::TEXT[]; - -- Iterate through each email + -- Iterate through each email in the array FOREACH email IN ARRAY emails_array LOOP - -- Perform the conversion using the provided SQL logic + -- Try to find a corresponding anonymized email from the ZALUsers table within the last 30 minutes and with the current transaction ID SELECT zu.new_row_data ->> 'email' INTO converted_email FROM "ZALUsers" zu @@ -136,16 +143,16 @@ const convertEmailsCreate = async () => sequelize.query(/* sql */` AND zu.dml_timestamp >= NOW() - INTERVAL '30 minutes' AND zu.dml_txid = lpad(txid_current()::text, 32, '0')::uuid; - -- If the email was found and converted, add it to the array + -- If a converted email is found, add it to the array IF converted_email IS NOT NULL AND converted_email <> '' THEN converted_emails := array_append(converted_emails, converted_email); ELSE - -- Generate a fake email if the email wasn't converted + -- If no converted email is found, generate a fake email address IF email LIKE '%@%' THEN - -- Extract domain from the email + -- Extract the domain from the email domain := SPLIT_PART(email, '@', 2); - -- Generate the fake email using md5 of the original username + -- Generate the fake email using the md5 hash of the original username and a random domain from the Users table converted_email := 'no-send_' || md5(SPLIT_PART(email, '@', 1)) || '@' || ( SELECT email_domain FROM ( SELECT SPLIT_PART(e.email, '@', 2) AS email_domain @@ -156,49 +163,54 @@ const convertEmailsCreate = async () => sequelize.query(/* sql */` ) AS random_domain ); - -- Add the fake email to the array + -- Add the generated fake email to the array converted_emails := array_append(converted_emails, converted_email); ELSE + -- If the email is not valid, add an empty string to the array converted_emails := array_append(converted_emails, ''); END IF; END IF; END LOOP; - -- Return the converted emails as a string + -- Return the array of converted emails as a comma-separated string RETURN array_to_string(converted_emails, ', '); END $$; `); +// Function to drop the "convertEmails" function from the PostgreSQL database if it exists const convertEmailsDrop = async () => sequelize.query(/* sql */` DROP FUNCTION IF EXISTS "convertEmails"(TEXT); `); +// Function to convert a user's name and email to anonymized data, ensuring consistent anonymization across the dataset export const convertName = (name, email) => { if (!name) { return { name, email }; } - const additionalId = 99999; + const additionalId = 99999; // Arbitrary ID to use for users not found in the realUsers array let foundUser = realUsers.find((user) => user.email === email); - // Not all program specialists or grant specialist are in the Hub yet - // Add it to the realUsers + // If the user is not found and the email contains '@', add the user to the realUsers array if (!foundUser && email.includes('@')) { foundUser = { id: additionalId + 1, name, email }; realUsers.push(foundUser); } + // Find the corresponding transformed (anonymized) user data let foundTransformedUser = transformedUsers.find((user) => user.id === foundUser.id); if (!foundTransformedUser) { + // If the transformed user is not found, create a new transformed user with a fake name and email foundTransformedUser = { id: foundUser.id, - name: faker.name.findName(), - email: generateFakeEmail(), + name: faker.name.findName(), // Generate a fake name + email: generateFakeEmail(), // Generate a fake email }; transformedUsers.push(foundTransformedUser); } return foundTransformedUser; }; +// Function to create a PL/pgSQL function in the PostgreSQL database that converts recipient names and grant numbers to anonymized data const convertRecipientNameCreate = async () => sequelize.query(/* sql */` CREATE OR REPLACE FUNCTION "convertRecipientName"(recipients_grants TEXT) RETURNS TEXT LANGUAGE plpgsql AS $$ DECLARE @@ -213,10 +225,10 @@ const convertRecipientNameCreate = async () => sequelize.query(/* sql */` RETURN recipients_grants; END IF; - -- Split the recipientsGrants string into an array + -- Split the recipients_grants string into an array of recipient-grant pairs recipient_grants_array := string_to_array(recipients_grants, chr(92) || 'n'); - -- Initialize the array for converted recipient-grant pairs + -- Initialize the array to store the converted recipient-grant pairs converted_recipients_grants := ARRAY[]::TEXT[]; -- Iterate through each recipient-grant pair @@ -224,7 +236,7 @@ const convertRecipientNameCreate = async () => sequelize.query(/* sql */` -- Extract the grant number from the pair grant_number := split_part(recipient_grant, '|', 2); - -- Remove leading and trailing whitespace + -- Remove leading and trailing whitespace from the grant number grant_number := trim(grant_number); -- Perform the conversion using the provided SQL logic @@ -237,7 +249,7 @@ const convertRecipientNameCreate = async () => sequelize.query(/* sql */` AND zgr.dml_timestamp >= NOW() - INTERVAL '30 minutes' AND zgr.dml_txid = lpad(txid_current()::text, 32, chr(48))::uuid; -- Use chr(48) for '0' - -- Handle cases where no match was found + -- Handle cases where no match was found and assign default values IF transformed_grant_number IS NULL THEN transformed_grant_number := 'UnknownGrant'; END IF; @@ -245,27 +257,30 @@ const convertRecipientNameCreate = async () => sequelize.query(/* sql */` transformed_recipient_name := 'Unknown Recipient'; END IF; - -- Construct the converted recipient-grant pair + -- Construct the converted recipient-grant pair and add it to the array converted_recipients_grants := array_append( converted_recipients_grants, transformed_recipient_name || ' | ' || transformed_grant_number ); END LOOP; - -- Return the converted recipients-grants pairs as a string + -- Return the converted recipient-grant pairs as a string RETURN array_to_string(converted_recipients_grants, chr(92) || 'n'); END $$; `); +// Function to drop the "convertRecipientName" function from the PostgreSQL database if it exists const convertRecipientNameDrop = async () => sequelize.query(/* sql */` DROP FUNCTION IF EXISTS "convertRecipientName"(TEXT); `); +// Function to anonymize user data by replacing names, emails, and other details with generated fake data export const hideUsers = async (userIds) => { + // Prepare the WHERE clause for the query based on the provided user IDs, if any const ids = userIds || null; const whereClause = ids ? `WHERE "id" IN (${ids.join(', ')})` : ''; - // Save real users + // Query the database to retrieve real user data based on the WHERE clause [realUsers] = await sequelize.query(/* sql */` SELECT "id", "email", "name" FROM "Users" @@ -275,17 +290,18 @@ export const hideUsers = async (userIds) => { const usedHsesUsernames = new Set(); const usedEmails = new Set(); + // Generate anonymized data for each user const fakeData = realUsers.map((user) => { let hsesUsername; let email; - // Ensure hsesUsername is unique + // Ensure that the generated HSES username is unique do { hsesUsername = faker.internet.email(); } while (usedHsesUsernames.has(hsesUsername)); usedHsesUsernames.add(hsesUsername); - // Ensure email is unique + // Ensure that the generated email is unique do { email = `no-send_${faker.internet.email()}`; } while (usedEmails.has(email)); @@ -295,15 +311,12 @@ export const hideUsers = async (userIds) => { id: user.id, hsesUsername, email, - phoneNumber: faker.phone.phoneNumber(), - name: faker.name.findName().replace(/'/g, ''), + phoneNumber: faker.phone.phoneNumber(), // Generate a fake phone number + name: faker.name.findName().replace(/'/g, ''), // Generate a fake name and remove any single quotes }; }); - // // Convert fake data to JSON string for SQL - // const fakeDataJSON = JSON.stringify(fakeData); - - // Update users using a CTE + // Update the Users table in the database with the anonymized data using a Common Table Expression (CTE) await sequelize.query(/* sql */` WITH fake_data AS ( SELECT @@ -322,7 +335,7 @@ export const hideUsers = async (userIds) => { replacements: { fakeDataJSON: JSON.stringify(fakeData) }, }); - // Retrieve transformed users + // Retrieve the transformed (anonymized) user data from the Users table for further processing [transformedUsers] = await sequelize.query(/* sql */` SELECT "id", "email", "name" FROM "Users" @@ -330,8 +343,9 @@ export const hideUsers = async (userIds) => { `); }; +// Function to anonymize recipient and grant data by replacing names and grant numbers with generated fake data export const hideRecipientsGrants = async (recipientsGrants) => { - // Parse recipientsGrants input + // Parse the recipientsGrants input string into arrays of recipients and grants const recipientsArray = recipientsGrants ? recipientsGrants.split('\n').map((el) => el.split('|')[0].trim()) : null; @@ -345,34 +359,39 @@ export const hideRecipientsGrants = async (recipientsGrants) => { ? `WHERE "number" ILIKE ANY(ARRAY[${grantsArray.map((g) => `'${g}'}`).join(', ')}])` : ''; - // Generate fake data for recipients + // Query the database to retrieve real recipient data based on the WHERE clause [realRecipients] = await sequelize.query(/* sql */` SELECT "id", "name" FROM "Recipients" ${recipientWhere}; `); + // Generate anonymized data for each recipient const fakeRecipientData = realRecipients.map((recipient) => ({ id: recipient.id, - name: faker.company.companyName().replace(/'/g, ''), + name: faker.company.companyName().replace(/'/g, ''), // Generate a fake company name and remove any single quotes })); - // Generate fake data for grants + // Query the database to retrieve real grant data based on the WHERE clause const [grants] = await sequelize.query(/* sql */` SELECT "id", "number", "programSpecialistName", "programSpecialistEmail", "grantSpecialistName", "grantSpecialistEmail" FROM "Grants" ${grantWhere}; `); + // Generate anonymized data for each grant const fakeGrantData = grants.map((grant) => { + // Anonymize the program specialist's name and email const programSpecialist = convertName( grant.programSpecialistName, grant.programSpecialistEmail, ); + // Anonymize the grant specialist's name and email const grantSpecialist = convertName( grant.grantSpecialistName, grant.grantSpecialistEmail, ); + // Generate a new grant number with a random animal type and trailing ID const trailingNumber = grant.id; const newGrantNumber = `0${faker.datatype.number({ min: 1, max: 9 })}${faker.animal.type()}0${trailingNumber}`; return { @@ -385,11 +404,11 @@ export const hideRecipientsGrants = async (recipientsGrants) => { }; }); - // Convert fake data to JSON strings for SQL + // Convert the anonymized recipient and grant data into JSON strings for SQL processing const fakeRecipientDataJSON = JSON.stringify(fakeRecipientData); const fakeGrantDataJSON = JSON.stringify(fakeGrantData); - // Update recipients using a CTE + // Update the Recipients table in the database with the anonymized recipient data using a Common Table Expression (CTE) await sequelize.query(/* sql */` WITH fake_recipients AS ( SELECT @@ -402,7 +421,7 @@ export const hideRecipientsGrants = async (recipientsGrants) => { WHERE "Recipients"."id" = (data->>'id')::int; `); - // Update grants using a CTE + // Update the Grants table in the database with the anonymized grant data using a Common Table Expression (CTE) await sequelize.query(/* sql */` WITH fake_grants AS ( SELECT @@ -419,14 +438,14 @@ export const hideRecipientsGrants = async (recipientsGrants) => { WHERE "Grants"."id" = (data->>'id')::int; `); - // Bulk update MonitoringReviewGrantee, MonitoringClassSummary, and GrantNumberLink + // Bulk update related tables MonitoringReviewGrantee, MonitoringClassSummary, and GrantNumberLink with the new anonymized grant numbers await sequelize.query(/* sql */` - -- 1. Disable the foreign key constraints + -- 1. Disable the foreign key constraints temporarily to allow data modification ALTER TABLE "MonitoringReviewGrantees" DROP CONSTRAINT "MonitoringReviewGrantees_grantNumber_fkey"; ALTER TABLE "MonitoringClassSummaries" DROP CONSTRAINT "MonitoringClassSummaries_grantNumber_fkey"; -- 2. Perform the data modifications - -- Update MonitoringReviewGrantee + -- Update MonitoringReviewGrantee table with new grant numbers UPDATE "MonitoringReviewGrantees" mrg SET "grantNumber" = gr.number FROM "GrantNumberLinks" gnl @@ -434,7 +453,7 @@ export const hideRecipientsGrants = async (recipientsGrants) => { AND gnl."grantNumber" != gr.number WHERE mrg."grantNumber" = gnl."grantNumber"; - -- Update MonitoringClassSummary + -- Update MonitoringClassSummary table with new grant numbers UPDATE "MonitoringClassSummaries" mcs SET "grantNumber" = gr.number FROM "GrantNumberLinks" gnl @@ -442,26 +461,27 @@ export const hideRecipientsGrants = async (recipientsGrants) => { AND gnl."grantNumber" != gr.number WHERE mcs."grantNumber" = gnl."grantNumber"; - -- Update GrantNumberLink to reflect the new grant numbers + -- Update GrantNumberLink table to reflect the new grant numbers UPDATE "GrantNumberLinks" gnl SET "grantNumber" = gr.number FROM "Grants" gr WHERE gnl."grantId" = gr.id AND gnl."grantNumber" != gr.number; - -- 3. Re-add the foreign key constraints with NOT VALID + -- 3. Re-add the foreign key constraints with NOT VALID to allow revalidation later ALTER TABLE "MonitoringReviewGrantees" ADD CONSTRAINT "MonitoringReviewGrantees_grantNumber_fkey" FOREIGN KEY ("grantNumber") REFERENCES "GrantNumberLinks"("grantNumber") NOT VALID; ALTER TABLE "MonitoringClassSummaries" ADD CONSTRAINT "MonitoringClassSummaries_grantNumber_fkey" FOREIGN KEY ("grantNumber") REFERENCES "GrantNumberLinks"("grantNumber") NOT VALID; - -- 4. Revalidate the foreign key constraints + -- 4. Revalidate the foreign key constraints to ensure data integrity ALTER TABLE "MonitoringReviewGrantees" VALIDATE CONSTRAINT "MonitoringReviewGrantees_grantNumber_fkey"; ALTER TABLE "MonitoringClassSummaries" VALIDATE CONSTRAINT "MonitoringClassSummaries_grantNumber_fkey"; `); }; +// Function to generate a set of permissions for a user based on their user ID and predefined permission scopes const givePermissions = (id) => { const permissionsArray = [ { @@ -486,6 +506,7 @@ const givePermissions = (id) => { }, ]; + // Loop to generate READ_REPORTS permissions for regions 1 through 12 for (let region = 1; region < 13; region++) { permissionsArray.push({ userId: id, @@ -496,6 +517,8 @@ const givePermissions = (id) => { return permissionsArray; }; + +// Function to bootstrap HSES users into the system by either creating or updating them, and assigning appropriate permissions export const bootstrapUsers = async () => { const userPromises = []; for await (const hsesUser of hsesUsers) { @@ -510,13 +533,17 @@ export const bootstrapUsers = async () => { }; if (user) { id = user.id; + // If the user already exists, update their details userPromises.push(user.update(newUser, { individualHooks: true })); + // Assign permissions to the user for (const permission of givePermissions(id)) { userPromises.push(Permission.findOrCreate({ where: permission })); } } else { + // If the user does not exist, create a new user const createdUser = await User.create(newUser); if (createdUser) { + // Assign permissions to the newly created user for (const permission of givePermissions(createdUser.id)) { userPromises.push(Permission.findOrCreate({ where: permission })); } @@ -527,7 +554,9 @@ export const bootstrapUsers = async () => { } }; +// Function to truncate (empty) audit tables in the database while disabling and re-enabling triggers export const truncateAuditTables = async () => { + // Query the database to find all audit tables (tables starting with 'ZAL') except for specific ones that should not be truncated const tablesToTruncate = await sequelize.query(` SELECT table_name FROM information_schema.tables WHERE @@ -535,29 +564,35 @@ export const truncateAuditTables = async () => { table_name not in ('ZALDDL', 'ZALZADescriptor', 'ZALZAFilter') `, { raw: true }); + // Iterate through each table and perform truncation for await (const table of tablesToTruncate) { + // Disable triggers before truncating the table await sequelize.query(`ALTER TABLE "${table}" DISABLE TRIGGER all`); + // Truncate the table and restart its identity sequence await sequelize.query(`TRUNCATE TABLE "${table}" RESTART IDENTITY`); + // Re-enable triggers after truncating the table await sequelize.query(`ALTER TABLE "${table}" ENABLE TRIGGER all`); } }; +// Function to anonymize file names by replacing them with randomly generated file names while preserving their original extensions export const processFiles = async () => sequelize.query(/* sql */` UPDATE "Files" SET "originalFileName" = CONCAT( - SUBSTRING(md5(random()::text), 1, 8), -- Random file name - SUBSTRING("originalFileName" FROM '\\..*$') -- Original extension + SUBSTRING(md5(random()::text), 1, 8), -- Generate a random file name using MD5 hash + SUBSTRING("originalFileName" FROM '\\..*$') -- Preserve the original file extension ) WHERE "originalFileName" IS NOT NULL; `); +// Function to process and anonymize sensitive data in Activity Reports by replacing specific fields with generated fake data export const processActivityReports = async (where) => sequelize.query(/* sql */` UPDATE "ActivityReports" SET - -- "managerNotes" = "processHtml"("managerNotes"), - "additionalNotes" = "processHtml"("additionalNotes"), - "context" = "processHtml"("context"), + -- "managerNotes" = "processHtml"("managerNotes"), // Anonymize manager notes (commented out) + "additionalNotes" = "processHtml"("additionalNotes"), // Anonymize additional notes + "context" = "processHtml"("context"), // Anonymize context "imported" = CASE WHEN "imported" IS NOT NULL THEN jsonb_set("imported", '{additionalNotesForThisActivity}', to_jsonb("processHtml"("imported"->>'additionalNotesForThisActivity')), true) @@ -574,42 +609,51 @@ export const processActivityReports = async (where) => sequelize.query(/* sql */ "imported" END WHERE 1 = 1 - ${where}; + ${where}; // Apply the WHERE clause if provided to limit the scope of the update `); +// Main function to orchestrate the entire anonymization process, including creating and dropping database functions, hiding users, recipients, and grants, processing activity reports and files, and truncating audit tables const processData = async (mockReport) => sequelize.transaction(async () => { + // If a mockReport is provided, extract the activity report ID and relevant data const activityReportId = mockReport ? mockReport.id : null; const where = activityReportId ? `AND id = ${activityReportId}` : ''; const userIds = mockReport ? [3000, 3001, 3002, 3003] : null; - const recipientsGrants = mockReport ? mockReport.imported.granteeName : null; + // Create the necessary database functions for data processing await processHtmlCreate(); await convertEmailsCreate(); await convertRecipientNameCreate(); - // Hide users + // Anonymize user data await hideUsers(userIds); - // Hide recipients and grants + // Anonymize recipient and grant data await hideRecipientsGrants(recipientsGrants); + // Anonymize activity reports await processActivityReports(where); + // Anonymize file names await processFiles(); + // Bootstrap HSES users and assign permissions await bootstrapUsers(); - // Delete from RequestErrors + // Delete all records from the RequestErrors table await RequestErrors.destroy({ where: {}, truncate: true, }); + // Drop the database functions used for data processing await processHtmlDrop(); await convertEmailsDrop(); await convertRecipientNameDrop(); + + // Truncate audit tables return truncateAuditTables(); }); +// Export the main processData function as the default export of the module export default processData; From d8952b21de5454061b57a00f9bd8445bdd9264ee Mon Sep 17 00:00:00 2001 From: GarrettEHill Date: Fri, 30 Aug 2024 12:16:15 -0700 Subject: [PATCH 102/138] name change required --- automation/configs/{process-backup.yml => processed-backup.yml} | 0 automation/configs/{process-restore.yml => processed-restore.yml} | 0 2 files changed, 0 insertions(+), 0 deletions(-) rename automation/configs/{process-backup.yml => processed-backup.yml} (100%) rename automation/configs/{process-restore.yml => processed-restore.yml} (100%) diff --git a/automation/configs/process-backup.yml b/automation/configs/processed-backup.yml similarity index 100% rename from automation/configs/process-backup.yml rename to automation/configs/processed-backup.yml diff --git a/automation/configs/process-restore.yml b/automation/configs/processed-restore.yml similarity index 100% rename from automation/configs/process-restore.yml rename to automation/configs/processed-restore.yml From 699dbdac9f23eded5a1f20b1004c71ea5a1eb870 Mon Sep 17 00:00:00 2001 From: GarrettEHill Date: Fri, 30 Aug 2024 16:27:17 -0700 Subject: [PATCH 103/138] Update latest_backup.sh --- bin/latest_backup.sh | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/bin/latest_backup.sh b/bin/latest_backup.sh index 62f0366e7d..2a3032aa93 100644 --- a/bin/latest_backup.sh +++ b/bin/latest_backup.sh @@ -163,13 +163,16 @@ list_all_backup_files() { printf "%-50s %-7s %-5s %-5s %-5s %-15s %-5s\n" "Name" "Format" "pwd" "md5" "sha256" "size" "age(days)" current_date=$(date +%s) echo "${backup_files}" | \ - while read line; do \ + while IFS= read -r line; do \ echo "${line##*.} ${line}";\ done |\ sort -rk5 |\ tr '\n' ' ' | \ sed 's~ \(zip\|zenc\) ~\n& ~g' |\ - while read line; do + sed -r 's/^[ \t]*//g' |\ + sed -r 's/[ \t]+/ /g' |\ + awk '{print $0 "\n"}' | \ + while IFS= read -r line; do backup_file=$(echo ${line} | awk '{split($5, a, "/"); print a[length(a)]}'); format=$(echo ${line} | awk '{print $1}') has_pwd=$([[ $line == *" pwd "* ]] && echo "x" || echo ""); From cc20c785a2ee7ae14f03112f49325ae0a3d02066 Mon Sep 17 00:00:00 2001 From: GarrettEHill Date: Fri, 30 Aug 2024 16:32:07 -0700 Subject: [PATCH 104/138] Update latest_backup.sh --- bin/latest_backup.sh | 31 +++++++++++++++++++------------ 1 file changed, 19 insertions(+), 12 deletions(-) diff --git a/bin/latest_backup.sh b/bin/latest_backup.sh index 2a3032aa93..a3d670d82c 100644 --- a/bin/latest_backup.sh +++ b/bin/latest_backup.sh @@ -173,23 +173,30 @@ list_all_backup_files() { sed -r 's/[ \t]+/ /g' |\ awk '{print $0 "\n"}' | \ while IFS= read -r line; do - backup_file=$(echo ${line} | awk '{split($5, a, "/"); print a[length(a)]}'); - format=$(echo ${line} | awk '{print $1}') - has_pwd=$([[ $line == *" pwd "* ]] && echo "x" || echo ""); - has_md5=$([[ $line == *" md5 "* ]] && echo "x" || echo ""); - has_sha256=$([[ $line == *" sha256 "* ]] && echo "x" || echo ""); - backup_size=$(numfmt --to=iec-i --suffix=B $(echo ${line} | awk '{print $4}')); - - # Determine OS and use appropriate date command + backup_file=$(echo "${line}" | awk '{split($5, a, "/"); print a[length(a)]}') + format=$(echo "${line}" | awk '{print $1}') + has_pwd=$([[ $line == *" pwd "* ]] && echo "x" || echo "") + has_md5=$([[ $line == *" md5 "* ]] && echo "x" || echo "") + has_sha256=$([[ $line == *" sha256 "* ]] && echo "x" || echo "") + + # Extract the size and validate it's numeric before passing to numfmt + backup_size=$(echo "${line}" | awk '{print $4}') + if [[ "$backup_size" =~ ^[0-9]+$ ]]; then + backup_size=$(numfmt --to=iec-i --suffix=B "$backup_size") + else + backup_size="N/A" # Handle cases where the size is not a number + fi + if [[ "$OSTYPE" == "darwin"* ]]; then - backup_age=$(( ( $(date +%s) - $(date -j -f "%Y-%m-%d" "$(echo ${line} | awk '{print $2}')" +%s) ) / 86400 )) + backup_age=$(( ( $(date +%s) - $(date -j -f "%Y-%m-%d" "$(echo "${line}" | awk '{print $2}')" +%s) ) / 86400 )) else - backup_age=$(( ( $(date +%s) - $(date -d "$(echo ${line} | awk '{print $2}')" +%s) ) / 86400 )) + backup_age=$(( ( $(date +%s) - $(date -d "$(echo "${line}" | awk '{print $2}')" +%s) ) / 86400 )) fi - printf "%-50s %-7s %-5s %-5s %-5s %-15s %-5s\n" "$backup_file" "$format" "$has_pwd" "$has_md5" "$has_sha256" "$backup_size" "$backup_age"; + printf "%-50s %-7s %-5s %-5s %-5s %-15s %-5s\n" "$backup_file" "$format" "$has_pwd" "$has_md5" "$has_sha256" "$backup_size" "$backup_age" done |\ - sort -k1 + sort -k1 |\ + grep -v "N/A" fi } From 1cccdc1a3f9cf9359906caab9a4cf0016fabdaa3 Mon Sep 17 00:00:00 2001 From: GarrettEHill Date: Fri, 30 Aug 2024 16:47:20 -0700 Subject: [PATCH 105/138] set up daily job --- .circleci/config.yml | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/.circleci/config.yml b/.circleci/config.yml index 1deef22ccc..7d090b0bd2 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -1461,6 +1461,15 @@ workflows: - << pipeline.parameters.prod_git_branch >> jobs: - backup_upload_production + - restore_production_for_processing: + requires: + - backup_upload_production + - process_production: + requires: + - restore_production_for_processing + - process_backup: + requires: + - process_production manual_backup_upload_production: when: equal: [true, << pipeline.parameters.manual-trigger >>] From dac477234f6a60bbe2aff98380b97245fe3bb623 Mon Sep 17 00:00:00 2001 From: GarrettEHill Date: Fri, 30 Aug 2024 17:02:29 -0700 Subject: [PATCH 106/138] lint --- src/tools/processData.js | 91 +++++++++++++++++++++++++--------------- 1 file changed, 58 insertions(+), 33 deletions(-) diff --git a/src/tools/processData.js b/src/tools/processData.js index 7d31a885b2..3537c57184 100644 --- a/src/tools/processData.js +++ b/src/tools/processData.js @@ -20,8 +20,11 @@ const READ_REPORTS = 4; const APPROVE_REPORTS = 5; /** - * The processData script is responsible for anonymizing sensitive user data, including names, emails, recipient information, grant details, and certain HTML fields. - * This anonymization ensures that the resulting database, which can then be restored in non-production environments, preserves existing relationships and non-personally identifiable information (non-PII) data. + * The processData script is responsible for anonymizing sensitive user data, including names, + * emails, recipient information, grant details, and certain HTML fields. + * This anonymization ensures that the resulting database, which can then be restored in + * non-production environments, preserves existing relationships and non-personally identifiable + * information (non-PII) data. */ // Arrays to hold the original real user data and the transformed anonymized user data @@ -29,7 +32,8 @@ let realUsers = []; let transformedUsers = []; let realRecipients = []; -// Predefined list of users from HSES (Head Start Enterprise System) with their details such as name, username, user ID, and email +// Predefined list of users from HSES (Head Start Enterprise System) with their details such as +// name, username, user ID, and email const hsesUsers = [ { name: 'Adam Levin', hsesUsername: 'test.tta.adam', hsesUserId: '50783', email: 'adam.levin@adhocteam.us', @@ -72,14 +76,16 @@ const hsesUsers = [ }, ]; -// A helper function to generate a fake email address by prefixing 'no-send_' to a randomly generated email using the faker library +// A helper function to generate a fake email address by prefixing 'no-send_' to a randomly +// generated email using the faker library const generateFakeEmail = () => 'no-send_'.concat(faker.internet.email()); // chr(92) represents the backslash (\) character in ASCII. This prevents JavaScript from // interfering with the escape sequences in your SQL regular expression when you pass the // query as a string in sequelize.query. -// Function to create a PL/pgSQL function in the PostgreSQL database that processes HTML content by replacing words with randomly generated words +// Function to create a PL/pgSQL function in the PostgreSQL database that processes HTML content by +// replacing words with randomly generated words const processHtmlCreate = async () => sequelize.query(/* sql */` CREATE OR REPLACE FUNCTION "processHtml"(input TEXT) RETURNS TEXT LANGUAGE plpgsql AS $$ DECLARE @@ -113,7 +119,8 @@ const processHtmlDrop = async () => sequelize.query(/* sql */` DROP FUNCTION IF EXISTS "processHtml"(TEXT); `); -// Function to create a PL/pgSQL function in the PostgreSQL database that converts email addresses by either finding a corresponding anonymized email or generating a fake one +// Function to create a PL/pgSQL function in the PostgreSQL database that converts email addresses +// by either finding a corresponding anonymized email or generating a fake one const convertEmailsCreate = async () => sequelize.query(/* sql */` CREATE OR REPLACE FUNCTION "convertEmails"(emails TEXT) RETURNS TEXT LANGUAGE plpgsql AS $$ DECLARE @@ -182,12 +189,13 @@ const convertEmailsDrop = async () => sequelize.query(/* sql */` DROP FUNCTION IF EXISTS "convertEmails"(TEXT); `); -// Function to convert a user's name and email to anonymized data, ensuring consistent anonymization across the dataset +// Function to convert a user's name and email to anonymized data, ensuring consistent +// anonymization across the dataset export const convertName = (name, email) => { if (!name) { return { name, email }; } - const additionalId = 99999; // Arbitrary ID to use for users not found in the realUsers array + const additionalId = 99999; // Arbitrary ID to use for users not found in the realUsers array let foundUser = realUsers.find((user) => user.email === email); // If the user is not found and the email contains '@', add the user to the realUsers array @@ -199,18 +207,20 @@ export const convertName = (name, email) => { // Find the corresponding transformed (anonymized) user data let foundTransformedUser = transformedUsers.find((user) => user.id === foundUser.id); if (!foundTransformedUser) { - // If the transformed user is not found, create a new transformed user with a fake name and email + // If the transformed user is not found, create a new transformed user with a fake name + // and email foundTransformedUser = { id: foundUser.id, - name: faker.name.findName(), // Generate a fake name - email: generateFakeEmail(), // Generate a fake email + name: faker.name.findName(), // Generate a fake name + email: generateFakeEmail(), // Generate a fake email }; transformedUsers.push(foundTransformedUser); } return foundTransformedUser; }; -// Function to create a PL/pgSQL function in the PostgreSQL database that converts recipient names and grant numbers to anonymized data +// Function to create a PL/pgSQL function in the PostgreSQL database that converts recipient names +// and grant numbers to anonymized data const convertRecipientNameCreate = async () => sequelize.query(/* sql */` CREATE OR REPLACE FUNCTION "convertRecipientName"(recipients_grants TEXT) RETURNS TEXT LANGUAGE plpgsql AS $$ DECLARE @@ -274,7 +284,8 @@ const convertRecipientNameDrop = async () => sequelize.query(/* sql */` DROP FUNCTION IF EXISTS "convertRecipientName"(TEXT); `); -// Function to anonymize user data by replacing names, emails, and other details with generated fake data +// Function to anonymize user data by replacing names, emails, and other details with generated +// fake data export const hideUsers = async (userIds) => { // Prepare the WHERE clause for the query based on the provided user IDs, if any const ids = userIds || null; @@ -311,12 +322,15 @@ export const hideUsers = async (userIds) => { id: user.id, hsesUsername, email, - phoneNumber: faker.phone.phoneNumber(), // Generate a fake phone number - name: faker.name.findName().replace(/'/g, ''), // Generate a fake name and remove any single quotes + // Generate a fake phone number + phoneNumber: faker.phone.phoneNumber(), + // Generate a fake name and remove any single quotes + name: faker.name.findName().replace(/'/g, ''), }; }); - // Update the Users table in the database with the anonymized data using a Common Table Expression (CTE) + // Update the Users table in the database with the anonymized data using a Common Table + // Expression (CTE) await sequelize.query(/* sql */` WITH fake_data AS ( SELECT @@ -343,7 +357,8 @@ export const hideUsers = async (userIds) => { `); }; -// Function to anonymize recipient and grant data by replacing names and grant numbers with generated fake data +// Function to anonymize recipient and grant data by replacing names and grant numbers with +// generated fake data export const hideRecipientsGrants = async (recipientsGrants) => { // Parse the recipientsGrants input string into arrays of recipients and grants const recipientsArray = recipientsGrants @@ -369,7 +384,8 @@ export const hideRecipientsGrants = async (recipientsGrants) => { // Generate anonymized data for each recipient const fakeRecipientData = realRecipients.map((recipient) => ({ id: recipient.id, - name: faker.company.companyName().replace(/'/g, ''), // Generate a fake company name and remove any single quotes + // Generate a fake company name and remove any single quotes + name: faker.company.companyName().replace(/'/g, ''), })); // Query the database to retrieve real grant data based on the WHERE clause @@ -408,7 +424,8 @@ export const hideRecipientsGrants = async (recipientsGrants) => { const fakeRecipientDataJSON = JSON.stringify(fakeRecipientData); const fakeGrantDataJSON = JSON.stringify(fakeGrantData); - // Update the Recipients table in the database with the anonymized recipient data using a Common Table Expression (CTE) + // Update the Recipients table in the database with the anonymized recipient data using a Common + // Table Expression (CTE) await sequelize.query(/* sql */` WITH fake_recipients AS ( SELECT @@ -421,7 +438,8 @@ export const hideRecipientsGrants = async (recipientsGrants) => { WHERE "Recipients"."id" = (data->>'id')::int; `); - // Update the Grants table in the database with the anonymized grant data using a Common Table Expression (CTE) + // Update the Grants table in the database with the anonymized grant data using a Common Table + // Expression (CTE) await sequelize.query(/* sql */` WITH fake_grants AS ( SELECT @@ -438,7 +456,8 @@ export const hideRecipientsGrants = async (recipientsGrants) => { WHERE "Grants"."id" = (data->>'id')::int; `); - // Bulk update related tables MonitoringReviewGrantee, MonitoringClassSummary, and GrantNumberLink with the new anonymized grant numbers + // Bulk update related tables MonitoringReviewGrantee, MonitoringClassSummary, and + // GrantNumberLink with the new anonymized grant numbers await sequelize.query(/* sql */` -- 1. Disable the foreign key constraints temporarily to allow data modification ALTER TABLE "MonitoringReviewGrantees" DROP CONSTRAINT "MonitoringReviewGrantees_grantNumber_fkey"; @@ -481,7 +500,8 @@ export const hideRecipientsGrants = async (recipientsGrants) => { `); }; -// Function to generate a set of permissions for a user based on their user ID and predefined permission scopes +// Function to generate a set of permissions for a user based on their user ID and predefined +// permission scopes const givePermissions = (id) => { const permissionsArray = [ { @@ -518,7 +538,8 @@ const givePermissions = (id) => { return permissionsArray; }; -// Function to bootstrap HSES users into the system by either creating or updating them, and assigning appropriate permissions +// Function to bootstrap HSES users into the system by either creating or updating them, and +// assigning appropriate permissions export const bootstrapUsers = async () => { const userPromises = []; for await (const hsesUser of hsesUsers) { @@ -554,9 +575,10 @@ export const bootstrapUsers = async () => { } }; -// Function to truncate (empty) audit tables in the database while disabling and re-enabling triggers +// Function to truncate audit tables in the database while disabling and re-enabling triggers export const truncateAuditTables = async () => { - // Query the database to find all audit tables (tables starting with 'ZAL') except for specific ones that should not be truncated + // Query the database to find all audit tables (tables starting with 'ZAL') except for specific + // ones that should not be truncated const tablesToTruncate = await sequelize.query(` SELECT table_name FROM information_schema.tables WHERE @@ -575,7 +597,8 @@ export const truncateAuditTables = async () => { } }; -// Function to anonymize file names by replacing them with randomly generated file names while preserving their original extensions +// Function to anonymize file names by replacing them with randomly generated file names while +// preserving their original extensions export const processFiles = async () => sequelize.query(/* sql */` UPDATE "Files" SET "originalFileName" = @@ -586,13 +609,13 @@ export const processFiles = async () => sequelize.query(/* sql */` WHERE "originalFileName" IS NOT NULL; `); -// Function to process and anonymize sensitive data in Activity Reports by replacing specific fields with generated fake data +// Function to process and anonymize sensitive data in Activity Reports by replacing specific +// fields with generated fake data export const processActivityReports = async (where) => sequelize.query(/* sql */` UPDATE "ActivityReports" SET - -- "managerNotes" = "processHtml"("managerNotes"), // Anonymize manager notes (commented out) - "additionalNotes" = "processHtml"("additionalNotes"), // Anonymize additional notes - "context" = "processHtml"("context"), // Anonymize context + "additionalNotes" = "processHtml"("additionalNotes"), + "context" = "processHtml"("context"), "imported" = CASE WHEN "imported" IS NOT NULL THEN jsonb_set("imported", '{additionalNotesForThisActivity}', to_jsonb("processHtml"("imported"->>'additionalNotesForThisActivity')), true) @@ -609,10 +632,12 @@ export const processActivityReports = async (where) => sequelize.query(/* sql */ "imported" END WHERE 1 = 1 - ${where}; // Apply the WHERE clause if provided to limit the scope of the update + ${where}; `); - -// Main function to orchestrate the entire anonymization process, including creating and dropping database functions, hiding users, recipients, and grants, processing activity reports and files, and truncating audit tables +/* Main function to orchestrate the entire anonymization process, including creating and dropping +* database functions, hiding users, recipients, and grants, processing activity reports and files, +* and truncating audit tables +*/ const processData = async (mockReport) => sequelize.transaction(async () => { // If a mockReport is provided, extract the activity report ID and relevant data const activityReportId = mockReport ? mockReport.id : null; From ef20090101bb849e370c65e6b6fce7a2e5ee4ec2 Mon Sep 17 00:00:00 2001 From: GarrettEHill Date: Fri, 30 Aug 2024 17:03:10 -0700 Subject: [PATCH 107/138] lint --- src/tools/processData.test.js | 3 --- 1 file changed, 3 deletions(-) diff --git a/src/tools/processData.test.js b/src/tools/processData.test.js index 2a55775e20..c48945dca1 100644 --- a/src/tools/processData.test.js +++ b/src/tools/processData.test.js @@ -26,10 +26,7 @@ import processData, { hideUsers, hideRecipientsGrants, bootstrapUsers, - convertEmails, convertName, - convertFileName, - convertRecipientName, } from './processData'; jest.mock('../logger'); From 22b08a4ab78d5d4e89c9caa8329e4a4882ef8a4c Mon Sep 17 00:00:00 2001 From: GarrettEHill Date: Tue, 3 Sep 2024 13:18:37 -0700 Subject: [PATCH 108/138] clean up --- src/tools/processData.js | 2 +- src/tools/processData.test.js | 67 +++++------------------------------ 2 files changed, 10 insertions(+), 59 deletions(-) diff --git a/src/tools/processData.js b/src/tools/processData.js index 3537c57184..989ac50cbb 100644 --- a/src/tools/processData.js +++ b/src/tools/processData.js @@ -20,7 +20,7 @@ const READ_REPORTS = 4; const APPROVE_REPORTS = 5; /** - * The processData script is responsible for anonymizing sensitive user data, including names, + * The processData script is responsible for anonymizing sensitive user data, including names, * emails, recipient information, grant details, and certain HTML fields. * This anonymization ensures that the resulting database, which can then be restored in * non-production environments, preserves existing relationships and non-personally identifiable diff --git a/src/tools/processData.test.js b/src/tools/processData.test.js index c48945dca1..67ae48eecd 100644 --- a/src/tools/processData.test.js +++ b/src/tools/processData.test.js @@ -26,7 +26,7 @@ import processData, { hideUsers, hideRecipientsGrants, bootstrapUsers, - convertName, + convertName, // Kept as it's still used in the main code } from './processData'; jest.mock('../logger'); @@ -92,7 +92,6 @@ const mockFile = { fileSize: 54417, }; -// TODO: ttaProvided needs to move from ActivityReportObjective to ActivityReportObjective const reportObject = { activityRecipientType: 'recipient', userId: mockUser.id, @@ -323,10 +322,11 @@ describe('processData', () => { await Grant.unscoped().destroy({ where: { id: GRANT_ID_TWO }, individualHooks: true }); await Recipient.unscoped().destroy({ where: { id: RECIPIENT_ID_ONE } }); await Recipient.unscoped().destroy({ where: { id: RECIPIENT_ID_TWO } }); + await destroyMonitoringData(); await sequelize.close(); }); - it('transforms user emails, recipientName in the ActivityReports table (imported)', async () => { + it('transforms user emails and recipient names in the ActivityReports table (imported)', async () => { const report = await ActivityReport.create(reportObject); mockActivityReportFile.activityReportId = report.id; await ActivityReportFile.destroy({ where: { id: mockActivityReportFile.id } }); @@ -386,7 +386,8 @@ describe('processData', () => { const transformedRecipient = await Recipient.findOne({ where: { id: RECIPIENT_ID_ONE } }); expect(transformedRecipient.name).not.toBe('Agency One, Inc.'); }); - it('transforms grant names in the Grants table', async () => { + + it('transforms grant numbers in the Grants table', async () => { await hideRecipientsGrants(reportObject.imported.granteeName); const transformedGrant = await Grant.findOne({ where: { recipientId: RECIPIENT_ID_ONE } }); @@ -424,19 +425,18 @@ describe('processData', () => { it('updates grant numbers in the MonitoringReviewGrantee table', async () => { await hideRecipientsGrants(reportObject.imported.granteeName); - // Find the updated record + // Verify that no record with the old grant number exists anymore const monitoringReviewGranteeRecord = await MonitoringReviewGrantee.findOne({ where: { grantNumber: GRANT_NUMBER_ONE }, }); - // Verify that no record with the old grant number exists anymore expect(monitoringReviewGranteeRecord).toBeNull(); + // Verify that no record with the old grant number exists anymore const monitoringClassSummaryRecord = await MonitoringClassSummary.findOne({ where: { grantNumber: GRANT_NUMBER_ONE }, }); - // Verify that no record with the old grant number exists anymore expect(monitoringClassSummaryRecord).toBeNull(); }); }); @@ -449,6 +449,7 @@ describe('processData', () => { expect(user.homeRegionId).toBe(14); }); + it('gives permissions to users', async () => { await bootstrapUsers(); @@ -458,24 +459,6 @@ describe('processData', () => { }); }); - describe('convertEmails', () => { - it('handles null emails', async () => { - const emails = convertEmails(null); - expect(emails).toBe(null); - }); - - it('handles emails lacking a @', async () => { - const emails = convertEmails('test,test2@test.com,test3'); - expect(emails.match(/^[^\s@]+@[^\s@]+\.[^\s@]+$/)).toBeTruthy(); - }); - - it('should convert a single email address to a transformed email address', () => { - const input = 'real@example.com'; - const output = convertEmails(input); - expect(output).toMatch(/^no-send_/); - }); - }); - describe('convertName', () => { it('handles a program specialist not in the hub', async () => { const name = await convertName('test', 'test@test.com'); @@ -486,37 +469,5 @@ describe('processData', () => { }); }); }); - - describe('convertFileName', () => { - it('handles null file names', async () => { - const fileName = await convertFileName(null); - expect(fileName).toBe(null); - }); - }); - - describe('convertRecipientName', () => { - it('handles null recipient names', async () => { - const recipientName = await convertRecipientName(null); - expect(recipientName).toBe(null); - }); - - it('converts recipient grants correctly', () => { - const recipientsGrants = 'John Doe|01HP044445\nJane Doe|09CH011111'; - const expected = 'Unknown Recipient | UnknownGrant\nUnknown Recipient | UnknownGrant'; - const result = convertRecipientName(recipientsGrants); - expect(result).toBe(expected); - }); - - it('handles missing grants', () => { - const recipientsGrants = 'John Doe|Missing\nJane Doe|'; - const expected = 'Unknown Recipient | UnknownGrant\nUnknown Recipient | UnknownGrant'; - const result = convertRecipientName(recipientsGrants); - expect(result).toBe(expected); - }); - - it('returns an empty string for empty input', () => { - const result = convertRecipientName(''); - expect(result).toBe(''); - }); - }); }); + From 751c026e0af176cd8623d94a1a6d95b910ccc8af Mon Sep 17 00:00:00 2001 From: GarrettEHill Date: Tue, 3 Sep 2024 13:37:26 -0700 Subject: [PATCH 109/138] Update processData.test.js --- src/tools/processData.test.js | 1 - 1 file changed, 1 deletion(-) diff --git a/src/tools/processData.test.js b/src/tools/processData.test.js index 67ae48eecd..517ffd80a6 100644 --- a/src/tools/processData.test.js +++ b/src/tools/processData.test.js @@ -470,4 +470,3 @@ describe('processData', () => { }); }); }); - From 1044171eac8e62b7df5b179b63a35ba91c87d847 Mon Sep 17 00:00:00 2001 From: GarrettEHill Date: Tue, 3 Sep 2024 16:00:13 -0700 Subject: [PATCH 110/138] Update s3.test.js --- src/lib/s3.test.js | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) diff --git a/src/lib/s3.test.js b/src/lib/s3.test.js index 2450ab76ff..958c163cc6 100644 --- a/src/lib/s3.test.js +++ b/src/lib/s3.test.js @@ -117,8 +117,10 @@ describe('verifyVersioning', () => { let mockPut; beforeEach(() => { - mockGet = S3().getBucketVersioning.mockImplementation(async () => mockVersioningData); - mockPut = S3().putBucketVersioning.mockImplementation(async (params) => new Promise((res) => { + s3.getBucketVersioning = jest.fn(); + s3.putBucketVersioning = jest.fn(); + mockGet = s3.getBucketVersioning.mockImplementation(async () => mockVersioningData); + mockPut = s3.putBucketVersioning.mockImplementation(async (params) => new Promise((res) => { res(params); })); mockGet.mockClear(); @@ -126,7 +128,7 @@ describe('verifyVersioning', () => { }); afterEach(() => { - jest.restoreAllMocks(); + jest.resetAllMocks(); }); it('throws an error if S3 is not configured', async () => { @@ -169,6 +171,8 @@ describe('uploadFile', () => { let mockGet; beforeEach(() => { + s3.upload = jest.fn(); + s3.getBucketVersioning = jest.fn(); mockUpload = s3.upload.mockImplementation(() => promise); mockGet = s3.getBucketVersioning.mockImplementation(async () => mockVersioningData); }); @@ -196,6 +200,7 @@ describe('getPresignedURL', () => { let mockGetURL; beforeEach(() => { + s3.getSignedUrl = jest.fn(); mockGetURL = s3.getSignedUrl.mockImplementation(() => 'https://example.com'); }); @@ -227,6 +232,7 @@ describe('s3Uploader.deleteFileFromS3', () => { let mockDeleteObject; beforeEach(() => { + s3.deleteObject = jest.fn(); mockDeleteObject = s3.deleteObject.mockImplementation(() => ({ promise: () => Promise.resolve('good') })); }); @@ -257,6 +263,7 @@ describe('s3Uploader.deleteFileFromS3Job', () => { let mockDeleteObject; beforeEach(() => { + s3.deleteObject = jest.fn(); mockDeleteObject = s3.deleteObject.mockImplementation(() => ({ promise: () => Promise.resolve({ status: 200, data: {} }), })); From 2fbb9f95f7f885fce85459cf55428c545569ecbc Mon Sep 17 00:00:00 2001 From: GarrettEHill Date: Tue, 3 Sep 2024 16:44:45 -0700 Subject: [PATCH 111/138] Update processData.js --- src/tools/processData.js | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/src/tools/processData.js b/src/tools/processData.js index 989ac50cbb..459d2e8f77 100644 --- a/src/tools/processData.js +++ b/src/tools/processData.js @@ -289,12 +289,13 @@ const convertRecipientNameDrop = async () => sequelize.query(/* sql */` export const hideUsers = async (userIds) => { // Prepare the WHERE clause for the query based on the provided user IDs, if any const ids = userIds || null; - const whereClause = ids ? `WHERE "id" IN (${ids.join(', ')})` : ''; + const whereClause = ids ? `AND "id" IN (${ids.join(', ')})` : ''; // Query the database to retrieve real user data based on the WHERE clause [realUsers] = await sequelize.query(/* sql */` SELECT "id", "email", "name" FROM "Users" + WHERE 1 = 1 ${whereClause}; `); From a28e24239b9881644fbc7bfa8db9a977e68b11ae Mon Sep 17 00:00:00 2001 From: GarrettEHill Date: Thu, 3 Oct 2024 16:07:20 -0700 Subject: [PATCH 112/138] refactor tests --- src/lib/s3.test.js | 431 +++++++++++++++++++++++---------------------- 1 file changed, 217 insertions(+), 214 deletions(-) diff --git a/src/lib/s3.test.js b/src/lib/s3.test.js index 958c163cc6..67eb76e6f4 100644 --- a/src/lib/s3.test.js +++ b/src/lib/s3.test.js @@ -21,6 +21,8 @@ jest.mock('aws-sdk', () => { return { S3: jest.fn(() => mS3) }; }); +const mockS3 = s3 || S3(); + const oldEnv = { ...process.env }; const VCAP_SERVICES = { s3: [ @@ -50,253 +52,254 @@ const VCAP_SERVICES = { }, ], }; +describe('S3', () => { + describe('Tests s3 client setup', () => { + afterEach(() => { process.env = oldEnv; }); + + it('returns proper config with process.env.VCAP_SERVICES set', () => { + process.env.VCAP_SERVICES = JSON.stringify(VCAP_SERVICES); + const { credentials } = VCAP_SERVICES.s3[0]; + const want = { + bucketName: credentials.bucket, + s3Config: { + accessKeyId: credentials.access_key_id, + endpoint: credentials.fips_endpoint, + secretAccessKey: credentials.secret_access_key, + signatureVersion: 'v4', + s3ForcePathStyle: true, + }, + }; + const got = generateS3Config(); + expect(got).toMatchObject(want); + }); -describe('Tests s3 client setup', () => { - afterEach(() => { process.env = oldEnv; }); - - it('returns proper config with process.env.VCAP_SERVICES set', () => { - process.env.VCAP_SERVICES = JSON.stringify(VCAP_SERVICES); - const { credentials } = VCAP_SERVICES.s3[0]; - const want = { - bucketName: credentials.bucket, - s3Config: { - accessKeyId: credentials.access_key_id, - endpoint: credentials.fips_endpoint, - secretAccessKey: credentials.secret_access_key, - signatureVersion: 'v4', - s3ForcePathStyle: true, - }, - }; - const got = generateS3Config(); - expect(got).toMatchObject(want); - }); - - it('returns proper config with process.env.VCAP_SERVICES not set', () => { - process.env.S3_BUCKET = 'test-bucket'; - process.env.AWS_ACCESS_KEY_ID = 'superSecretAccessKeyId'; - process.env.AWS_SECRET_ACCESS_KEY = 'superSecretAccessKey'; - process.env.S3_ENDPOINT = 'localhost'; - - const want = { - bucketName: process.env.S3_BUCKET, - s3Config: { - accessKeyId: process.env.AWS_ACCESS_KEY_ID, - endpoint: process.env.S3_ENDPOINT, - secretAccessKey: process.env.AWS_SECRET_ACCESS_KEY, - signatureVersion: 'v4', - s3ForcePathStyle: true, - }, - }; - const got = generateS3Config(); - expect(got).toMatchObject(want); - }); - - it('returns null config when no S3 environment variables or VCAP_SERVICES are set', () => { - delete process.env.VCAP_SERVICES; - delete process.env.S3_BUCKET; - delete process.env.AWS_ACCESS_KEY_ID; - delete process.env.AWS_SECRET_ACCESS_KEY; - delete process.env.S3_ENDPOINT; + it('returns proper config with process.env.VCAP_SERVICES not set', () => { + process.env.S3_BUCKET = 'test-bucket'; + process.env.AWS_ACCESS_KEY_ID = 'superSecretAccessKeyId'; + process.env.AWS_SECRET_ACCESS_KEY = 'superSecretAccessKey'; + process.env.S3_ENDPOINT = 'localhost'; + + const want = { + bucketName: process.env.S3_BUCKET, + s3Config: { + accessKeyId: process.env.AWS_ACCESS_KEY_ID, + endpoint: process.env.S3_ENDPOINT, + secretAccessKey: process.env.AWS_SECRET_ACCESS_KEY, + signatureVersion: 'v4', + s3ForcePathStyle: true, + }, + }; + const got = generateS3Config(); + expect(got).toMatchObject(want); + }); - const want = { - bucketName: null, - s3Config: null, - }; - const got = generateS3Config(); - expect(got).toMatchObject(want); + it('returns null config when no S3 environment variables or VCAP_SERVICES are set', () => { + delete process.env.VCAP_SERVICES; + delete process.env.S3_BUCKET; + delete process.env.AWS_ACCESS_KEY_ID; + delete process.env.AWS_SECRET_ACCESS_KEY; + delete process.env.S3_ENDPOINT; + + const want = { + bucketName: null, + s3Config: null, + }; + const got = generateS3Config(); + expect(got).toMatchObject(want); + }); }); -}); -const mockVersioningData = { - MFADelete: 'Disabled', - Status: 'Enabled', -}; + const mockVersioningData = { + MFADelete: 'Disabled', + Status: 'Enabled', + }; -describe('verifyVersioning', () => { - let mockGet; - let mockPut; - - beforeEach(() => { - s3.getBucketVersioning = jest.fn(); - s3.putBucketVersioning = jest.fn(); - mockGet = s3.getBucketVersioning.mockImplementation(async () => mockVersioningData); - mockPut = s3.putBucketVersioning.mockImplementation(async (params) => new Promise((res) => { - res(params); - })); - mockGet.mockClear(); - mockPut.mockClear(); - }); + describe('verifyVersioning', () => { + let mockGet; + let mockPut; + + beforeEach(() => { + mockS3.getBucketVersioning = jest.fn(); + mockS3.putBucketVersioning = jest.fn(); + mockGet = mockS3.getBucketVersioning.mockImplementation(async () => mockVersioningData); + mockPut = mockS3.putBucketVersioning.mockImplementation(async (params) => new Promise((res) => { + res(params); + })); + mockGet.mockClear(); + mockPut.mockClear(); + }); - afterEach(() => { - jest.resetAllMocks(); - }); + afterEach(() => { + jest.resetAllMocks(); + }); - it('throws an error if S3 is not configured', async () => { - await expect(verifyVersioning(VCAP_SERVICES.s3[0].binding_name, null)).rejects.toThrow('S3 is not configured.'); - }); + it('throws an error if S3 is not configured', async () => { + await expect(verifyVersioning(VCAP_SERVICES.s3[0].binding_name, null)).rejects.toThrow('S3 is not configured.'); + }); - it('Doesn\'t change things if versioning is enabled', async () => { - const got = await verifyVersioning(); - expect(mockGet.mock.calls.length).toBe(1); - expect(mockPut.mock.calls.length).toBe(0); - expect(got).toBe(mockVersioningData); - }); + it('Doesn\'t change things if versioning is enabled', async () => { + const got = await verifyVersioning(undefined, mockS3); + expect(mockGet.mock.calls.length).toBe(1); + expect(mockPut.mock.calls.length).toBe(0); + expect(got).toBe(mockVersioningData); + }); - it('Enables versioning if it is disabled', async () => { - mockGet.mockImplementationOnce(async () => { }); // Simulate disabled versioning - const got = await verifyVersioning(process.env.S3_BUCKET); - expect(mockGet.mock.calls.length).toBe(1); - expect(mockPut.mock.calls.length).toBe(1); - expect(got.Bucket).toBe(process.env.S3_BUCKET); - expect(got.VersioningConfiguration.MFADelete).toBe(mockVersioningData.MFADelete); - expect(got.VersioningConfiguration.Status).toBe(mockVersioningData.Status); + it('Enables versioning if it is disabled', async () => { + mockGet.mockImplementationOnce(async () => { }); // Simulate disabled versioning + const got = await verifyVersioning(process.env.S3_BUCKET, mockS3); + expect(mockGet.mock.calls.length).toBe(1); + expect(mockPut.mock.calls.length).toBe(1); + expect(got.Bucket).toBe(process.env.S3_BUCKET); + expect(got.VersioningConfiguration.MFADelete).toBe(mockVersioningData.MFADelete); + expect(got.VersioningConfiguration.Status).toBe(mockVersioningData.Status); + }); }); -}); -describe('uploadFile', () => { - const goodType = { ext: 'pdf', mime: 'application/pdf' }; - const buf = Buffer.from('Testing, Testing', 'UTF-8'); - const name = `${uuidv4()}.${goodType.ext}`; - const response = { - ETag: '"8b03d1d48774bfafdb26691256fc7b2b"', - Location: `${process.env.S3_ENDPOINT}/${process.env.S3_BUCKET}/${name}`, - key: `${name}`, - Key: `${name}`, - Bucket: `${process.env.S3_BUCKET}`, - }; - const promise = { - promise: () => new Promise((resolve) => { resolve(response); }), - }; - let mockUpload; - let mockGet; - - beforeEach(() => { - s3.upload = jest.fn(); - s3.getBucketVersioning = jest.fn(); - mockUpload = s3.upload.mockImplementation(() => promise); - mockGet = s3.getBucketVersioning.mockImplementation(async () => mockVersioningData); - }); + describe('uploadFile', () => { + const goodType = { ext: 'pdf', mime: 'application/pdf' }; + const buf = Buffer.from('Testing, Testing', 'UTF-8'); + const name = `${uuidv4()}.${goodType.ext}`; + const response = { + ETag: '"8b03d1d48774bfafdb26691256fc7b2b"', + Location: `${process.env.S3_ENDPOINT}/${process.env.S3_BUCKET}/${name}`, + key: `${name}`, + Key: `${name}`, + Bucket: `${process.env.S3_BUCKET}`, + }; + const promise = { + promise: () => new Promise((resolve) => { resolve(response); }), + }; + let mockUpload; + let mockGet; + + beforeEach(() => { + mockS3.upload = jest.fn(); + mockS3.getBucketVersioning = jest.fn(); + mockUpload = mockS3.upload.mockImplementation(() => promise); + mockGet = mockS3.getBucketVersioning.mockImplementation(async () => mockVersioningData); + }); - afterAll(() => { - process.env = oldEnv; - }); + afterAll(() => { + process.env = oldEnv; + }); - it('throws an error if S3 is not configured', async () => { - await expect(uploadFile(buf, name, goodType, null)).rejects.toThrow('S3 is not configured.'); - }); + it('throws an error if S3 is not configured', async () => { + await expect(uploadFile(buf, name, goodType, null)).rejects.toThrow('S3 is not configured.'); + }); - it('Correctly Uploads the file and checks versioning', async () => { - process.env.NODE_ENV = 'production'; - const got = await uploadFile(buf, name, goodType); - expect(mockGet.mock.calls.length).toBe(1); - await expect(got).toBe(response); + it('Correctly Uploads the file and checks versioning', async () => { + process.env.NODE_ENV = 'production'; + const got = await uploadFile(buf, name, goodType, mockS3); + expect(mockGet.mock.calls.length).toBe(1); + await expect(got).toBe(response); + }); }); -}); -describe('getPresignedURL', () => { - const Bucket = 'fakeBucket'; - const Key = 'fakeKey'; - const fakeError = new Error('fake error'); - let mockGetURL; + describe('getPresignedURL', () => { + const Bucket = 'fakeBucket'; + const Key = 'fakeKey'; + const fakeError = new Error('fake error'); + let mockGetURL; - beforeEach(() => { - s3.getSignedUrl = jest.fn(); - mockGetURL = s3.getSignedUrl.mockImplementation(() => 'https://example.com'); - }); + beforeEach(() => { + mockS3.getSignedUrl = jest.fn(); + mockGetURL = mockS3.getSignedUrl.mockImplementation(() => 'https://example.com'); + }); - it('returns an error if S3 is not configured', () => { - const url = getPresignedURL(Key, Bucket, null); - expect(url).toMatchObject({ url: null, error: new Error('S3 is not configured.') }); - }); + it('returns an error if S3 is not configured', () => { + const url = getPresignedURL(Key, Bucket, null); + expect(url).toMatchObject({ url: null, error: new Error('S3 is not configured.') }); + }); - it('calls getSignedUrl() with correct parameters', () => { - const url = getPresignedURL(Key, Bucket); - expect(url).toMatchObject({ url: 'https://example.com', error: null }); - expect(mockGetURL).toHaveBeenCalled(); - expect(mockGetURL).toHaveBeenCalledWith('getObject', { Bucket, Key, Expires: 360 }); - }); + it('calls getSignedUrl() with correct parameters', () => { + const url = getPresignedURL(Key, Bucket, mockS3); + expect(url).toMatchObject({ url: 'https://example.com', error: null }); + expect(mockGetURL).toHaveBeenCalled(); + expect(mockGetURL).toHaveBeenCalledWith('getObject', { Bucket, Key, Expires: 360 }); + }); - it('calls getSignedUrl() with incorrect parameters', async () => { - mockGetURL.mockImplementationOnce(() => { throw fakeError; }); - const url = getPresignedURL(Key, Bucket); - expect(url).toMatchObject({ url: null, error: fakeError }); - expect(mockGetURL).toHaveBeenCalled(); - expect(mockGetURL).toHaveBeenCalledWith('getObject', { Bucket, Key, Expires: 360 }); + it('calls getSignedUrl() with incorrect parameters', async () => { + mockGetURL.mockImplementationOnce(() => { throw fakeError; }); + const url = getPresignedURL(Key, Bucket, mockS3); + expect(url).toMatchObject({ url: null, error: fakeError }); + expect(mockGetURL).toHaveBeenCalled(); + expect(mockGetURL).toHaveBeenCalledWith('getObject', { Bucket, Key, Expires: 360 }); + }); }); -}); -describe('s3Uploader.deleteFileFromS3', () => { - const Bucket = 'fakeBucket'; - const Key = 'fakeKey'; - const anotherFakeError = Error('fake'); - let mockDeleteObject; + describe('s3Uploader.deleteFileFromS3', () => { + const Bucket = 'fakeBucket'; + const Key = 'fakeKey'; + const anotherFakeError = Error('fake'); + let mockDeleteObject; - beforeEach(() => { - s3.deleteObject = jest.fn(); - mockDeleteObject = s3.deleteObject.mockImplementation(() => ({ promise: () => Promise.resolve('good') })); - }); + beforeEach(() => { + mockS3.deleteObject = jest.fn(); + mockDeleteObject = mockS3.deleteObject.mockImplementation(() => ({ promise: () => Promise.resolve('good') })); + }); - it('throws an error if S3 is not configured', async () => { - await expect(deleteFileFromS3(Key, Bucket, null)).rejects.toThrow('S3 is not configured.'); - }); + it('throws an error if S3 is not configured', async () => { + await expect(deleteFileFromS3(Key, Bucket, null)).rejects.toThrow('S3 is not configured.'); + }); - it('calls deleteFileFromS3() with correct parameters', async () => { - const got = deleteFileFromS3(Key, Bucket); - await expect(got).resolves.toBe('good'); - expect(mockDeleteObject).toHaveBeenCalledWith({ Bucket, Key }); - }); + it('calls deleteFileFromS3() with correct parameters', async () => { + const got = deleteFileFromS3(Key, Bucket, mockS3); + await expect(got).resolves.toBe('good'); + expect(mockDeleteObject).toHaveBeenCalledWith({ Bucket, Key }); + }); - it('throws an error if promise rejects', async () => { - mockDeleteObject.mockImplementationOnce( - () => ({ promise: () => Promise.reject(anotherFakeError) }), - ); - const got = deleteFileFromS3(Key); - await expect(got).rejects.toBe(anotherFakeError); - expect(mockDeleteObject).toHaveBeenCalledWith({ Bucket, Key }); + it('throws an error if promise rejects', async () => { + mockDeleteObject.mockImplementationOnce( + () => ({ promise: () => Promise.reject(anotherFakeError) }), + ); + const got = deleteFileFromS3(Key, undefined , mockS3); + await expect(got).rejects.toBe(anotherFakeError); + expect(mockDeleteObject).toHaveBeenCalledWith({ Bucket, Key }); + }); }); -}); -describe('s3Uploader.deleteFileFromS3Job', () => { - const Bucket = 'fakeBucket'; - const Key = 'fakeKey'; - const anotherFakeError = Error({ statusCode: 500 }); - let mockDeleteObject; - - beforeEach(() => { - s3.deleteObject = jest.fn(); - mockDeleteObject = s3.deleteObject.mockImplementation(() => ({ - promise: () => Promise.resolve({ status: 200, data: {} }), - })); - }); + describe('s3Uploader.deleteFileFromS3Job', () => { + const Bucket = 'fakeBucket'; + const Key = 'fakeKey'; + const anotherFakeError = Error({ statusCode: 500 }); + let mockDeleteObject; + + beforeEach(() => { + s3.deleteObject = jest.fn(); + mockDeleteObject = s3.deleteObject.mockImplementation(() => ({ + promise: () => Promise.resolve({ status: 200, data: {} }), + })); + }); - it('returns a 500 status with error data if S3 is not configured', async () => { - const expectedOutput = { - data: { bucket: 'fakeBucket', fileId: 1, fileKey: 'fakeKey' }, - res: undefined, - status: 500, - }; + it('returns a 500 status with error data if S3 is not configured', async () => { + const expectedOutput = { + data: { bucket: 'fakeBucket', fileId: 1, fileKey: 'fakeKey' }, + res: undefined, + status: 500, + }; - const job = { data: { fileId: 1, fileKey: 'fakeKey', bucket: 'fakeBucket' } }; - // Pass null for s3Client to simulate S3 not being configured - const got = await deleteFileFromS3Job(job, null); + const job = { data: { fileId: 1, fileKey: 'fakeKey', bucket: 'fakeBucket' } }; + // Pass null for s3Client to simulate S3 not being configured + const got = await deleteFileFromS3Job(job, null); - expect(got).toStrictEqual(expectedOutput); - }); + expect(got).toStrictEqual(expectedOutput); + }); - it('calls deleteFileFromS3Job() with correct parameters', async () => { - const got = deleteFileFromS3Job({ data: { fileId: 1, fileKey: Key, bucket: Bucket } }); - await expect(got).resolves.toStrictEqual({ - status: 200, data: { fileId: 1, fileKey: Key, res: { data: {}, status: 200 } }, + it('calls deleteFileFromS3Job() with correct parameters', async () => { + const got = deleteFileFromS3Job({ data: { fileId: 1, fileKey: Key, bucket: Bucket } }); + await expect(got).resolves.toStrictEqual({ + status: 200, data: { fileId: 1, fileKey: Key, res: { data: {}, status: 200 } }, + }); + expect(mockDeleteObject).toHaveBeenCalledWith({ Bucket, Key }); }); - expect(mockDeleteObject).toHaveBeenCalledWith({ Bucket, Key }); - }); - it('throws an error if promise rejects', async () => { - mockDeleteObject.mockImplementationOnce( - () => ({ promise: () => Promise.reject(anotherFakeError) }), - ); - const got = deleteFileFromS3Job({ data: { fileId: 1, fileKey: Key, bucket: Bucket } }); - await expect(got).resolves.toStrictEqual({ data: { bucket: 'fakeBucket', fileId: 1, fileKey: 'fakeKey' }, res: undefined, status: 500 }); - expect(mockDeleteObject).toHaveBeenCalledWith({ Bucket, Key }); + it('throws an error if promise rejects', async () => { + mockDeleteObject.mockImplementationOnce( + () => ({ promise: () => Promise.reject(anotherFakeError) }), + ); + const got = deleteFileFromS3Job({ data: { fileId: 1, fileKey: Key, bucket: Bucket } }); + await expect(got).resolves.toStrictEqual({ data: { bucket: 'fakeBucket', fileId: 1, fileKey: 'fakeKey' }, res: undefined, status: 500 }); + expect(mockDeleteObject).toHaveBeenCalledWith({ Bucket, Key }); + }); }); }); From 54d5e05321dc228983432fa1018e396cd31a377f Mon Sep 17 00:00:00 2001 From: GarrettEHill Date: Tue, 8 Oct 2024 00:23:18 -0700 Subject: [PATCH 113/138] add obfuscation to training report data --- src/tools/processData.js | 437 ++++++++++++++++++++++++++++++++++++--- 1 file changed, 410 insertions(+), 27 deletions(-) diff --git a/src/tools/processData.js b/src/tools/processData.js index 459d2e8f77..a27f2dedd2 100644 --- a/src/tools/processData.js +++ b/src/tools/processData.js @@ -219,10 +219,57 @@ export const convertName = (name, email) => { return foundTransformedUser; }; +const convertUserNameCreate = async () => sequelize.query(/* sql */` +CREATE OR REPLACE FUNCTION "convertUserName"(user_name TEXT, user_id INT) +RETURNS TEXT LANGUAGE plpgsql AS $$ +DECLARE + transformed_name TEXT; +BEGIN + IF user_name IS NULL THEN + RETURN 'Unknown Name'; + END IF; + + -- Remove leading and trailing whitespace from the user name + user_name := trim(user_name); + + -- Perform the conversion using the provided SQL logic + SELECT zul.new_row_data ->> 'name' + INTO transformed_name + FROM "ZALUsers" zul + JOIN "Users" u ON zul.data_id = u.id + WHERE u.name = user_name + AND zul.dml_timestamp >= NOW() - INTERVAL '30 minutes' + AND zul.dml_txid = lpad(txid_current()::text, 32, chr(48))::uuid; + + -- Handle cases where no match was found and assign default value + IF transformed_name IS NULL THEN + SELECT zul.new_row_data ->> 'name' + INTO transformed_name + FROM "ZALUsers" zul + JOIN "Users" u ON zul.data_id = u.id + WHERE u.id = user_id + AND zul.dml_timestamp >= NOW() - INTERVAL '30 minutes' + AND zul.dml_txid = lpad(txid_current()::text, 32, chr(48))::uuid; + END IF; + + -- Handle cases where no match was found and assign default value + IF transformed_name IS NULL THEN + transformed_name := 'Unknown Name'; + END IF; + + RETURN transformed_name; +END $$; + +`); + +const convertUserNameDrop = async () => sequelize.query(/* sql */` + DROP FUNCTION IF EXISTS "convertUserName"(TEXT, INT); +`); + // Function to create a PL/pgSQL function in the PostgreSQL database that converts recipient names // and grant numbers to anonymized data -const convertRecipientNameCreate = async () => sequelize.query(/* sql */` - CREATE OR REPLACE FUNCTION "convertRecipientName"(recipients_grants TEXT) RETURNS TEXT LANGUAGE plpgsql AS $$ +const convertRecipientNameAndNumberCreate = async () => sequelize.query(/* sql */` + CREATE OR REPLACE FUNCTION "convertRecipientNameAndNumber"(recipients_grants TEXT) RETURNS TEXT LANGUAGE plpgsql AS $$ DECLARE recipient_grants_array TEXT[]; converted_recipients_grants TEXT[]; @@ -279,9 +326,101 @@ const convertRecipientNameCreate = async () => sequelize.query(/* sql */` END $$; `); -// Function to drop the "convertRecipientName" function from the PostgreSQL database if it exists +// Function to drop the "convertRecipientNameAndNumber" function from the PostgreSQL database if it exists +const convertRecipientNameAndNumberDrop = async () => sequelize.query(/* sql */` + DROP FUNCTION IF EXISTS "convertRecipientNameAndNumber"(TEXT); +`); + +const convertGrantNumberCreate = async () => sequelize.query(/* sql */` + CREATE OR REPLACE FUNCTION "convertGrantNumber"(grant_number TEXT, grant_id INT) + RETURNS TEXT LANGUAGE plpgsql AS $$ + DECLARE + transformed_grant_number TEXT; + BEGIN + IF grant_number IS NULL THEN + RETURN 'UnknownGrant'; + END IF; + + -- Remove leading and trailing whitespace from the grant number + grant_number := trim(grant_number); + + -- Perform the conversion using the provided SQL logic + SELECT zgr.new_row_data ->> 'number' + INTO transformed_grant_number + FROM "ZALGrants" zgr + JOIN "Grants" gr ON zgr.data_id = gr.id + WHERE zgr.old_row_data ->> 'number' = grant_number + AND zgr.dml_timestamp >= NOW() - INTERVAL '30 minutes' + AND zgr.dml_txid = lpad(txid_current()::text, 32, chr(48))::uuid; + + -- Handle cases where no match was found and assign default value + IF transformed_grant_number IS NULL THEN + SELECT zgr.new_row_data ->> 'number' + INTO transformed_grant_number + FROM "ZALGrants" zgr + JOIN "Grants" gr ON zrec.data_id = gr.id + WHERE gr.id = grant_id + AND zrec.dml_timestamp >= NOW() - INTERVAL '30 minutes' + AND zrec.dml_txid = lpad(txid_current()::text, 32, chr(48))::uuid; + END IF; + + -- Handle cases where no match was found and assign default value + IF transformed_grant_number IS NULL THEN + transformed_grant_number := 'UnknownGrant'; + END IF; + + RETURN transformed_grant_number; + END $$; +`); + +const convertGrantNumberDrop = async () => sequelize.query(/* sql */` + DROP FUNCTION IF EXISTS "convertGrantNumber"(TEXT, INT); +`); + +const convertRecipientNameCreate = async () => sequelize.query(/* sql */` + CREATE OR REPLACE FUNCTION "convertRecipientName"(recipient_name TEXT, grant_id INT) + RETURNS TEXT LANGUAGE plpgsql AS $$ + DECLARE + transformed_recipient_name TEXT; + BEGIN + IF recipient_name IS NULL THEN + RETURN 'Unknown Recipient'; + END IF; + + -- Remove leading and trailing whitespace from the recipient name + recipient_name := trim(recipient_name); + + -- Perform the conversion using the provided SQL logic + SELECT zrec.new_row_data ->> 'name' + INTO transformed_recipient_name + FROM "ZALRecipients" zrec + JOIN "Recipients" r ON zrec.data_id = r.id + WHERE r.name = recipient_name + AND zrec.dml_timestamp >= NOW() - INTERVAL '30 minutes' + AND zrec.dml_txid = lpad(txid_current()::text, 32, chr(48))::uuid; + + -- Handle cases where no match was found and assign default value + IF transformed_recipient_name IS NULL THEN + SELECT zrec.new_row_data ->> 'name' + INTO transformed_recipient_name + FROM "ZALRecipients" zrec + JOIN "Grants" gr ON zrec.data_id = gr."recipientId" + WHERE gr.id = grant_id + AND zrec.dml_timestamp >= NOW() - INTERVAL '30 minutes' + AND zrec.dml_txid = lpad(txid_current()::text, 32, chr(48))::uuid; + END IF; + + -- Handle cases where no match was found and assign default value + IF transformed_recipient_name IS NULL THEN + transformed_recipient_name := 'Unknown Recipient'; + END IF; + + RETURN transformed_recipient_name; + END $$; +`); + const convertRecipientNameDrop = async () => sequelize.query(/* sql */` - DROP FUNCTION IF EXISTS "convertRecipientName"(TEXT); + DROP FUNCTION IF EXISTS "convertRecipientName"(TEXT, INT); `); // Function to anonymize user data by replacing names, emails, and other details with generated @@ -294,7 +433,7 @@ export const hideUsers = async (userIds) => { // Query the database to retrieve real user data based on the WHERE clause [realUsers] = await sequelize.query(/* sql */` SELECT "id", "email", "name" - FROM "Users" + FROM "Users" --test WHERE 1 = 1 ${whereClause}; `); @@ -353,7 +492,8 @@ export const hideUsers = async (userIds) => { // Retrieve the transformed (anonymized) user data from the Users table for further processing [transformedUsers] = await sequelize.query(/* sql */` SELECT "id", "email", "name" - FROM "Users" + FROM "Users" -- test 2 + WHERE 1 = 1 ${whereClause}; `); }; @@ -372,7 +512,7 @@ export const hideRecipientsGrants = async (recipientsGrants) => { ? `WHERE "name" ILIKE ANY(ARRAY[${recipientsArray.map((r) => `'${r}'`).join(', ')}])` : ''; const grantWhere = grantsArray - ? `WHERE "number" ILIKE ANY(ARRAY[${grantsArray.map((g) => `'${g}'}`).join(', ')}])` + ? `WHERE "number" ILIKE ANY(ARRAY[${grantsArray.map((g) => `'${g}'`).join(', ')}])` : ''; // Query the database to retrieve real recipient data based on the WHERE clause @@ -612,29 +752,264 @@ export const processFiles = async () => sequelize.query(/* sql */` // Function to process and anonymize sensitive data in Activity Reports by replacing specific // fields with generated fake data -export const processActivityReports = async (where) => sequelize.query(/* sql */` +export const processActivityReports = async ( + where = '', +) => sequelize.query(/* sql */`-- Update additionalNotes field + UPDATE "ActivityReports" + SET "additionalNotes" = "processHtml"("additionalNotes") + WHERE "additionalNotes" IS NOT NULL + ${where}; + + -- Update context field + UPDATE "ActivityReports" + SET "context" = "processHtml"("context") + WHERE "context" IS NOT NULL + ${where}; + + -- Update imported -> 'additionalNotesForThisActivity' + UPDATE "ActivityReports" + SET "imported" = jsonb_set( + "imported", + '{additionalNotesForThisActivity}', + to_jsonb("processHtml"("imported"->>'additionalNotesForThisActivity')), + true + ) + WHERE "imported" IS NOT NULL AND "imported"->>'additionalNotesForThisActivity' IS NOT NULL + ${where}; + + -- Update imported -> 'cdiGranteeName' + UPDATE "ActivityReports" + SET "imported" = jsonb_set( + "imported", + '{cdiGranteeName}', + to_jsonb("processHtml"("imported"->>'cdiGranteeName')), + true + ) + WHERE "imported" IS NOT NULL AND "imported"->>'cdiGranteeName' IS NOT NULL + ${where}; + + -- Update imported -> 'contextForThisActivity' + UPDATE "ActivityReports" + SET "imported" = jsonb_set( + "imported", + '{contextForThisActivity}', + to_jsonb("processHtml"("imported"->>'contextForThisActivity')), + true + ) + WHERE "imported" IS NOT NULL AND "imported"->>'contextForThisActivity' IS NOT NULL + ${where}; + + -- Update imported -> 'createdBy' using convertEmails() + UPDATE "ActivityReports" + SET "imported" = jsonb_set( + "imported", + '{createdBy}', + to_jsonb("convertEmails"("imported"->>'createdBy')), + true + ) + WHERE "imported" IS NOT NULL AND "imported"->>'createdBy' IS NOT NULL + ${where}; + + -- Update imported -> 'granteeFollowUpTasksObjectives' + UPDATE "ActivityReports" + SET "imported" = jsonb_set( + "imported", + '{granteeFollowUpTasksObjectives}', + to_jsonb("processHtml"("imported"->>'granteeFollowUpTasksObjectives')), + true + ) + WHERE "imported" IS NOT NULL AND "imported"->>'granteeFollowUpTasksObjectives' IS NOT NULL + ${where}; + + -- Update imported -> 'granteeName' using convertRecipientNameAndNumber() + UPDATE "ActivityReports" + SET "imported" = jsonb_set( + "imported", + '{granteeName}', + to_jsonb("convertRecipientNameAndNumber"("imported"->>'granteeName')), + true + ) + WHERE "imported" IS NOT NULL AND "imported"->>'granteeName' IS NOT NULL + ${where}; + + -- Update imported -> 'manager' using convertEmails() UPDATE "ActivityReports" - SET - "additionalNotes" = "processHtml"("additionalNotes"), - "context" = "processHtml"("context"), - "imported" = CASE - WHEN "imported" IS NOT NULL THEN - jsonb_set("imported", '{additionalNotesForThisActivity}', to_jsonb("processHtml"("imported"->>'additionalNotesForThisActivity')), true) - || jsonb_set("imported", '{cdiGranteeName}', to_jsonb("processHtml"("imported"->>'cdiGranteeName')), true) - || jsonb_set("imported", '{contextForThisActivity}', to_jsonb("processHtml"("imported"->>'contextForThisActivity')), true) - || jsonb_set("imported", '{createdBy}', to_jsonb("convertEmails"("imported"->>'createdBy')), true) - || jsonb_set("imported", '{granteeFollowUpTasksObjectives}', to_jsonb("processHtml"("imported"->>'granteeFollowUpTasksObjectives')), true) - || jsonb_set("imported", '{granteeName}', to_jsonb("convertRecipientName"("imported"->>'granteeName')), true) - || jsonb_set("imported", '{manager}', to_jsonb("convertEmails"("imported"->>'manager')), true) - || jsonb_set("imported", '{modifiedBy}', to_jsonb("convertEmails"("imported"->>'modifiedBy')), true) - || jsonb_set("imported", '{otherSpecialists}', to_jsonb("convertEmails"("imported"->>'otherSpecialists')), true) - || jsonb_set("imported", '{specialistFollowUpTasksObjectives}', to_jsonb("processHtml"("imported"->>'specialistFollowUpTasksObjectives')), true) - ELSE - "imported" - END - WHERE 1 = 1 + SET "imported" = jsonb_set( + "imported", + '{manager}', + to_jsonb("convertEmails"("imported"->>'manager')), + true + ) + WHERE "imported" IS NOT NULL AND "imported"->>'manager' IS NOT NULL + ${where}; + + -- Update imported -> 'modifiedBy' using convertEmails() + UPDATE "ActivityReports" + SET "imported" = jsonb_set( + "imported", + '{modifiedBy}', + to_jsonb("convertEmails"("imported"->>'modifiedBy')), + true + ) + WHERE "imported" IS NOT NULL AND "imported"->>'modifiedBy' IS NOT NULL + ${where}; + + -- Update imported -> 'otherSpecialists' using convertEmails() + UPDATE "ActivityReports" + SET "imported" = jsonb_set( + "imported", + '{otherSpecialists}', + to_jsonb("convertEmails"("imported"->>'otherSpecialists')), + true + ) + WHERE "imported" IS NOT NULL AND "imported"->>'otherSpecialists' IS NOT NULL + ${where}; + + -- Update imported -> 'specialistFollowUpTasksObjectives' + UPDATE "ActivityReports" + SET "imported" = jsonb_set( + "imported", + '{specialistFollowUpTasksObjectives}', + to_jsonb("processHtml"("imported"->>'specialistFollowUpTasksObjectives')), + true + ) + WHERE "imported" IS NOT NULL AND "imported"->>'specialistFollowUpTasksObjectives' IS NOT NULL ${where}; `); + +export const processTraningReports = async (where = '') => { + // Event + await sequelize.query(/* sql */` + -- 1. Update data -> 'creator' field using convertEmails() + UPDATE "EventReportPilots" + SET data = jsonb_set( + data, + '{creator}', + CASE + WHEN "convertEmails"(data ->> 'creator') IS NOT NULL THEN to_jsonb("convertEmails"(data ->> 'creator')) + ELSE data -> 'creator' + END, + false + ) + WHERE data ? 'creator' + ${where}; + + -- 2. Update data -> 'owner' -> 'name' field using convertUserName() + UPDATE "EventReportPilots" + SET data = jsonb_set( + data, + '{owner, name}', + CASE + WHEN "convertUserName"(data #>> '{owner, name}', (data #>> '{owner, id}')::int) IS NOT NULL THEN to_jsonb("convertUserName"(data #>> '{owner, name}', (data #>> '{owner, id}')::int)) + ELSE data #> '{owner, name}' + END, + false + ) + WHERE data ? 'owner' AND data->'owner' ? 'name' + ${where}; + + -- 3. Update data -> 'owner' -> 'email' field using convertEmails() + UPDATE "EventReportPilots" + SET data = jsonb_set( + data, + '{owner, email}', + CASE + WHEN "convertEmails"(data #>> '{owner, email}') IS NOT NULL THEN to_jsonb("convertEmails"(data #>> '{owner, email}')) + ELSE data #> '{owner, email}' + END, + false + ) + WHERE data ? 'owner' AND data->'owner' ? 'email' + ${where}; + + -- 4. Update data -> 'owner' -> 'nameWithNationalCenters' field with a suffix, using convertUserName() + UPDATE "EventReportPilots" + SET data = jsonb_set( + data, + '{owner, nameWithNationalCenters}', + CASE + WHEN "convertUserName"(split_part(data #>> '{owner, nameWithNationalCenters}', ',', 1), (data #>> '{owner, id}')::int) IS NOT NULL THEN + to_jsonb("convertUserName"(split_part(data #>> '{owner, nameWithNationalCenters}', ',', 1), (data #>> '{owner, id}')::int) || ', ' || split_part(data #>> '{owner, nameWithNationalCenters}', ',', 2)) + ELSE data #> '{owner, nameWithNationalCenters}' + END, + false + ) + WHERE data ? 'owner' AND data->'owner' ? 'nameWithNationalCenters' + ${where}; + + -- 5. Update each element's userName in eventReportPilotNationalCenterUsers array using convertUserName() + UPDATE "EventReportPilots" + SET data = jsonb_set( + data, + '{eventReportPilotNationalCenterUsers}', + ( + SELECT jsonb_agg( + CASE + WHEN "convertUserName"(user_elem ->> 'userName', (user_elem ->> 'userId')::int) IS NOT NULL THEN + jsonb_set(user_elem, '{userName}', to_jsonb("convertUserName"(user_elem ->> 'userName', (user_elem ->> 'userId')::int))) + ELSE user_elem + END + ) + FROM jsonb_array_elements(data->'eventReportPilotNationalCenterUsers') AS user_elem + ), + false + ) + WHERE data ? 'eventReportPilotNationalCenterUsers' + ${where}; + `); + // Session + await sequelize.query(/* sql */` + UPDATE "SessionReportPilots" + SET data = jsonb_set( + data, + '{recipients}', + COALESCE( + ( + SELECT jsonb_agg(new_recipient) + FROM ( + SELECT + jsonb_set( + recipient, + '{label}', + to_jsonb(new_label) + ) AS new_recipient + FROM ( + SELECT + recipient, + -- Reconstruct the new label + CASE + WHEN array_length(reversed_parts, 1) >= 3 THEN + "convertRecipientName"(REVERSE(array_to_string(reversed_parts[3:array_upper(reversed_parts, 1)], ' - ')), "value") || ' - ' || + "convertGrantNumber"(REVERSE(reversed_parts[2]), "value") || ' - ' || + REVERSE(reversed_parts[1]) + WHEN array_length(reversed_parts, 1) = 2 THEN + "convertRecipientName"(REVERSE(reversed_parts[2]), "value") || ' - ' || + "convertGrantNumber"(REVERSE(reversed_parts[1]), "value") + WHEN array_length(reversed_parts, 1) = 1 THEN + "convertRecipientName"(REVERSE(reversed_parts[1]), "value") + ELSE + recipient ->> 'label' + END AS new_label + FROM ( + SELECT + recipient, + REVERSE(recipient ->> 'label') AS reversed_label, + string_to_array(REVERSE(recipient ->> 'label'), ' - ') AS reversed_parts, + (recipient ->> 'value')::int "value" + FROM jsonb_array_elements(data->'recipients') AS recipient + ) sub1 + ) sub2 + ) sub3 + ), + data->'recipients' -- Fallback to original value if transformation fails + ), + false + ) + WHERE data ? 'recipients' + ${where}; + `); +} + /* Main function to orchestrate the entire anonymization process, including creating and dropping * database functions, hiding users, recipients, and grants, processing activity reports and files, * and truncating audit tables @@ -649,7 +1024,10 @@ const processData = async (mockReport) => sequelize.transaction(async () => { // Create the necessary database functions for data processing await processHtmlCreate(); await convertEmailsCreate(); + await convertRecipientNameAndNumberCreate(); + await convertGrantNumberCreate(); await convertRecipientNameCreate(); + await convertUserNameCreate(); // Anonymize user data await hideUsers(userIds); @@ -660,6 +1038,8 @@ const processData = async (mockReport) => sequelize.transaction(async () => { // Anonymize activity reports await processActivityReports(where); + await processTraningReports(); + // Anonymize file names await processFiles(); @@ -675,7 +1055,10 @@ const processData = async (mockReport) => sequelize.transaction(async () => { // Drop the database functions used for data processing await processHtmlDrop(); await convertEmailsDrop(); + await convertRecipientNameAndNumberDrop(); + await convertGrantNumberDrop(); await convertRecipientNameDrop(); + await convertUserNameDrop(); // Truncate audit tables return truncateAuditTables(); From d2782e3d15e09ada8db9aa216cfafc84b7ad3299 Mon Sep 17 00:00:00 2001 From: GarrettEHill Date: Tue, 8 Oct 2024 01:25:00 -0700 Subject: [PATCH 114/138] process all og the granteenames on activity reports --- src/tools/processData.js | 14 +++++++++++--- 1 file changed, 11 insertions(+), 3 deletions(-) diff --git a/src/tools/processData.js b/src/tools/processData.js index a27f2dedd2..ff60206cd8 100644 --- a/src/tools/processData.js +++ b/src/tools/processData.js @@ -826,11 +826,19 @@ export const processActivityReports = async ( SET "imported" = jsonb_set( "imported", '{granteeName}', - to_jsonb("convertRecipientNameAndNumber"("imported"->>'granteeName')), + to_jsonb( + array_to_string( + array( + SELECT "convertRecipientNameAndNumber"(unnest(string_to_array("imported"->>'granteeName', E'\n'))) + ), + E'\n' + ) + ), true ) - WHERE "imported" IS NOT NULL AND "imported"->>'granteeName' IS NOT NULL - ${where}; + WHERE "imported" IS NOT NULL + AND "imported"->>'granteeName' IS NOT NULL + ${where}; -- Update imported -> 'manager' using convertEmails() UPDATE "ActivityReports" From 80e04499995715c241b0c9726cb31d7e24f4eae9 Mon Sep 17 00:00:00 2001 From: GarrettEHill Date: Tue, 8 Oct 2024 11:58:34 -0700 Subject: [PATCH 115/138] lint --- src/lib/s3.test.js | 10 ++++++---- src/tools/processData.js | 5 +++-- 2 files changed, 9 insertions(+), 6 deletions(-) diff --git a/src/lib/s3.test.js b/src/lib/s3.test.js index 67eb76e6f4..646ba53920 100644 --- a/src/lib/s3.test.js +++ b/src/lib/s3.test.js @@ -122,9 +122,11 @@ describe('S3', () => { mockS3.getBucketVersioning = jest.fn(); mockS3.putBucketVersioning = jest.fn(); mockGet = mockS3.getBucketVersioning.mockImplementation(async () => mockVersioningData); - mockPut = mockS3.putBucketVersioning.mockImplementation(async (params) => new Promise((res) => { - res(params); - })); + mockPut = mockS3.putBucketVersioning.mockImplementation( + async (params) => new Promise((res) => { + res(params); + }), + ); mockGet.mockClear(); mockPut.mockClear(); }); @@ -252,7 +254,7 @@ describe('S3', () => { mockDeleteObject.mockImplementationOnce( () => ({ promise: () => Promise.reject(anotherFakeError) }), ); - const got = deleteFileFromS3(Key, undefined , mockS3); + const got = deleteFileFromS3(Key, undefined, mockS3); await expect(got).rejects.toBe(anotherFakeError); expect(mockDeleteObject).toHaveBeenCalledWith({ Bucket, Key }); }); diff --git a/src/tools/processData.js b/src/tools/processData.js index ff60206cd8..18406ac76d 100644 --- a/src/tools/processData.js +++ b/src/tools/processData.js @@ -326,7 +326,8 @@ const convertRecipientNameAndNumberCreate = async () => sequelize.query(/* sql * END $$; `); -// Function to drop the "convertRecipientNameAndNumber" function from the PostgreSQL database if it exists +// Function to drop the "convertRecipientNameAndNumber" function from the PostgreSQL +// database if it exists const convertRecipientNameAndNumberDrop = async () => sequelize.query(/* sql */` DROP FUNCTION IF EXISTS "convertRecipientNameAndNumber"(TEXT); `); @@ -1016,7 +1017,7 @@ export const processTraningReports = async (where = '') => { WHERE data ? 'recipients' ${where}; `); -} +}; /* Main function to orchestrate the entire anonymization process, including creating and dropping * database functions, hiding users, recipients, and grants, processing activity reports and files, From 969eb01e24a8e7aa0a025e6f657bcb2c68aa2908 Mon Sep 17 00:00:00 2001 From: GarrettEHill Date: Fri, 11 Oct 2024 12:28:06 -0700 Subject: [PATCH 116/138] refactor to have less branches --- src/tools/processData.js | 15 +++++++++++---- 1 file changed, 11 insertions(+), 4 deletions(-) diff --git a/src/tools/processData.js b/src/tools/processData.js index 18406ac76d..ae243e398d 100644 --- a/src/tools/processData.js +++ b/src/tools/processData.js @@ -1025,10 +1025,17 @@ export const processTraningReports = async (where = '') => { */ const processData = async (mockReport) => sequelize.transaction(async () => { // If a mockReport is provided, extract the activity report ID and relevant data - const activityReportId = mockReport ? mockReport.id : null; - const where = activityReportId ? `AND id = ${activityReportId}` : ''; - const userIds = mockReport ? [3000, 3001, 3002, 3003] : null; - const recipientsGrants = mockReport ? mockReport.imported.granteeName : null; + let activityReportId = null; + let where = ''; + let userIds = null; + let recipientsGrants = null; + + if (mockReport) { + activityReportId = mockReport.id; + where = `AND id = ${activityReportId}`; + userIds = [3000, 3001, 3002, 3003]; + recipientsGrants = mockReport.imported.granteeName; + } // Create the necessary database functions for data processing await processHtmlCreate(); From e333c39fdc515474cb6011e14cc4bdb7e11391f6 Mon Sep 17 00:00:00 2001 From: Matt Bevilacqua Date: Fri, 11 Oct 2024 15:37:18 -0400 Subject: [PATCH 117/138] Fix one test, cleanup --- src/lib/s3.test.js | 43 ++++++++++++++++++++++++++++++------------- 1 file changed, 30 insertions(+), 13 deletions(-) diff --git a/src/lib/s3.test.js b/src/lib/s3.test.js index 646ba53920..1358ccda87 100644 --- a/src/lib/s3.test.js +++ b/src/lib/s3.test.js @@ -94,6 +94,12 @@ describe('S3', () => { }); it('returns null config when no S3 environment variables or VCAP_SERVICES are set', () => { + const oldVCAP = process.env.VCAP_SERVICES; + const oldBucket = process.env.S3_BUCKET; + const oldAccessKey = process.env.AWS_ACCESS_KEY_ID; + const oldSecretKey = process.env.AWS_SECRET_ACCESS_KEY; + const oldEndpoint = process.env.S3_ENDPOINT; + delete process.env.VCAP_SERVICES; delete process.env.S3_BUCKET; delete process.env.AWS_ACCESS_KEY_ID; @@ -106,6 +112,12 @@ describe('S3', () => { }; const got = generateS3Config(); expect(got).toMatchObject(want); + + process.env.VCAP_SERVICES = oldVCAP; + process.env.S3_BUCKET = oldBucket; + process.env.AWS_ACCESS_KEY_ID = oldAccessKey; + process.env.AWS_SECRET_ACCESS_KEY = oldSecretKey; + process.env.S3_ENDPOINT = oldEndpoint; }); }); @@ -171,13 +183,12 @@ describe('S3', () => { const promise = { promise: () => new Promise((resolve) => { resolve(response); }), }; - let mockUpload; let mockGet; beforeEach(() => { mockS3.upload = jest.fn(); mockS3.getBucketVersioning = jest.fn(); - mockUpload = mockS3.upload.mockImplementation(() => promise); + mockS3.upload.mockImplementation(() => promise); mockGet = mockS3.getBucketVersioning.mockImplementation(async () => mockVersioningData); }); @@ -193,7 +204,7 @@ describe('S3', () => { process.env.NODE_ENV = 'production'; const got = await uploadFile(buf, name, goodType, mockS3); expect(mockGet.mock.calls.length).toBe(1); - await expect(got).toBe(response); + expect(got).toBe(response); }); }); @@ -235,9 +246,13 @@ describe('S3', () => { const anotherFakeError = Error('fake'); let mockDeleteObject; + afterEach(() => { + jest.resetAllMocks(); + }); + beforeEach(() => { mockS3.deleteObject = jest.fn(); - mockDeleteObject = mockS3.deleteObject.mockImplementation(() => ({ promise: () => Promise.resolve('good') })); + mockS3.deleteObject.mockImplementation(() => ({ promise: () => Promise.resolve('good') })); }); it('throws an error if S3 is not configured', async () => { @@ -247,16 +262,16 @@ describe('S3', () => { it('calls deleteFileFromS3() with correct parameters', async () => { const got = deleteFileFromS3(Key, Bucket, mockS3); await expect(got).resolves.toBe('good'); - expect(mockDeleteObject).toHaveBeenCalledWith({ Bucket, Key }); + expect(mockS3.deleteObject).toHaveBeenCalledWith({ Bucket, Key }); }); it('throws an error if promise rejects', async () => { - mockDeleteObject.mockImplementationOnce( + mockS3.deleteObject.mockImplementation( () => ({ promise: () => Promise.reject(anotherFakeError) }), ); const got = deleteFileFromS3(Key, undefined, mockS3); await expect(got).rejects.toBe(anotherFakeError); - expect(mockDeleteObject).toHaveBeenCalledWith({ Bucket, Key }); + expect(mockS3.deleteObject).toHaveBeenCalledWith({ Bucket, Key }); }); }); @@ -264,11 +279,10 @@ describe('S3', () => { const Bucket = 'fakeBucket'; const Key = 'fakeKey'; const anotherFakeError = Error({ statusCode: 500 }); - let mockDeleteObject; beforeEach(() => { s3.deleteObject = jest.fn(); - mockDeleteObject = s3.deleteObject.mockImplementation(() => ({ + s3.deleteObject.mockImplementation(() => ({ promise: () => Promise.resolve({ status: 200, data: {} }), })); }); @@ -292,16 +306,19 @@ describe('S3', () => { await expect(got).resolves.toStrictEqual({ status: 200, data: { fileId: 1, fileKey: Key, res: { data: {}, status: 200 } }, }); - expect(mockDeleteObject).toHaveBeenCalledWith({ Bucket, Key }); + expect(s3.deleteObject).toHaveBeenCalledWith({ Bucket, Key }); }); it('throws an error if promise rejects', async () => { - mockDeleteObject.mockImplementationOnce( - () => ({ promise: () => Promise.reject(anotherFakeError) }), + s3.deleteObject.mockImplementationOnce( + () => ({ + promise: () => Promise.reject(anotherFakeError), + }), ); + const got = deleteFileFromS3Job({ data: { fileId: 1, fileKey: Key, bucket: Bucket } }); await expect(got).resolves.toStrictEqual({ data: { bucket: 'fakeBucket', fileId: 1, fileKey: 'fakeKey' }, res: undefined, status: 500 }); - expect(mockDeleteObject).toHaveBeenCalledWith({ Bucket, Key }); + expect(s3.deleteObject).toHaveBeenCalledWith({ Bucket, Key }); }); }); }); From 4e2ceb7a18f6f714f086db4158e79eab5305905a Mon Sep 17 00:00:00 2001 From: GarrettEHill Date: Fri, 11 Oct 2024 14:46:36 -0700 Subject: [PATCH 118/138] Update s3.test.js --- src/lib/s3.test.js | 45 ++++++++++++++++++++++++++++++++++++++------- 1 file changed, 38 insertions(+), 7 deletions(-) diff --git a/src/lib/s3.test.js b/src/lib/s3.test.js index 1358ccda87..5e17407940 100644 --- a/src/lib/s3.test.js +++ b/src/lib/s3.test.js @@ -2,6 +2,7 @@ import { v4 as uuidv4 } from 'uuid'; import { S3 } from 'aws-sdk'; import { s3, + downloadFile, verifyVersioning, uploadFile, getPresignedURL, @@ -17,6 +18,8 @@ jest.mock('aws-sdk', () => { upload: jest.fn(), getSignedUrl: jest.fn(), deleteObject: jest.fn(), + getObject: jest.fn().mockReturnThis(), + promise: jest.fn(), }; return { S3: jest.fn(() => mS3) }; }); @@ -74,7 +77,7 @@ describe('S3', () => { }); it('returns proper config with process.env.VCAP_SERVICES not set', () => { - process.env.S3_BUCKET = 'test-bucket'; + process.env.S3_BUCKET = 'ttadp-test'; process.env.AWS_ACCESS_KEY_ID = 'superSecretAccessKeyId'; process.env.AWS_SECRET_ACCESS_KEY = 'superSecretAccessKey'; process.env.S3_ENDPOINT = 'localhost'; @@ -208,8 +211,36 @@ describe('S3', () => { }); }); + describe('downloadFile', () => { + afterEach(() => { + jest.resetAllMocks(); + }); + it('returns an error if S3 is not configured', () => { + expect(() => downloadFile(null, null)).toThrow('S3 is not configured.'); + }); + it('downloads a file successfully', async () => { + const { bucketName } = generateS3Config(); + const key = 'test-file.txt'; + // Mock the promise to resolve with some file content + mockS3.promise.mockResolvedValue({ Body: 'file-content' }); + mockS3.getObject.mockImplementation(() => mockS3); + + // Call the function + const result = await downloadFile(key, mockS3); + + // Verify getObject was called with the right parameters + expect(mockS3.getObject).toHaveBeenCalledWith({ + Bucket: bucketName, + Key: key, + }); + + // Verify the result + expect(result).toEqual({ Body: 'file-content' }); + }); + }); + describe('getPresignedURL', () => { - const Bucket = 'fakeBucket'; + const Bucket = 'ttadp-test'; const Key = 'fakeKey'; const fakeError = new Error('fake error'); let mockGetURL; @@ -241,7 +272,7 @@ describe('S3', () => { }); describe('s3Uploader.deleteFileFromS3', () => { - const Bucket = 'fakeBucket'; + const Bucket = 'ttadp-test'; const Key = 'fakeKey'; const anotherFakeError = Error('fake'); let mockDeleteObject; @@ -276,7 +307,7 @@ describe('S3', () => { }); describe('s3Uploader.deleteFileFromS3Job', () => { - const Bucket = 'fakeBucket'; + const Bucket = 'ttadp-test'; const Key = 'fakeKey'; const anotherFakeError = Error({ statusCode: 500 }); @@ -289,12 +320,12 @@ describe('S3', () => { it('returns a 500 status with error data if S3 is not configured', async () => { const expectedOutput = { - data: { bucket: 'fakeBucket', fileId: 1, fileKey: 'fakeKey' }, + data: { bucket: 'ttadp-test', fileId: 1, fileKey: 'fakeKey' }, res: undefined, status: 500, }; - const job = { data: { fileId: 1, fileKey: 'fakeKey', bucket: 'fakeBucket' } }; + const job = { data: { fileId: 1, fileKey: 'fakeKey', bucket: 'ttadp-test' } }; // Pass null for s3Client to simulate S3 not being configured const got = await deleteFileFromS3Job(job, null); @@ -317,7 +348,7 @@ describe('S3', () => { ); const got = deleteFileFromS3Job({ data: { fileId: 1, fileKey: Key, bucket: Bucket } }); - await expect(got).resolves.toStrictEqual({ data: { bucket: 'fakeBucket', fileId: 1, fileKey: 'fakeKey' }, res: undefined, status: 500 }); + await expect(got).resolves.toStrictEqual({ data: { bucket: 'ttadp-test', fileId: 1, fileKey: 'fakeKey' }, res: undefined, status: 500 }); expect(s3.deleteObject).toHaveBeenCalledWith({ Bucket, Key }); }); }); From 3389c6c6c8e2589467025d1d122e98700df39744 Mon Sep 17 00:00:00 2001 From: GarrettEHill Date: Fri, 11 Oct 2024 15:30:45 -0700 Subject: [PATCH 119/138] Update s3.test.js --- src/lib/s3.test.js | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/src/lib/s3.test.js b/src/lib/s3.test.js index 5e17407940..a7705fd9ec 100644 --- a/src/lib/s3.test.js +++ b/src/lib/s3.test.js @@ -220,20 +220,20 @@ describe('S3', () => { }); it('downloads a file successfully', async () => { const { bucketName } = generateS3Config(); - const key = 'test-file.txt'; + const key = 'test-file.txt'; // Mock the promise to resolve with some file content mockS3.promise.mockResolvedValue({ Body: 'file-content' }); mockS3.getObject.mockImplementation(() => mockS3); - + // Call the function const result = await downloadFile(key, mockS3); - + // Verify getObject was called with the right parameters expect(mockS3.getObject).toHaveBeenCalledWith({ Bucket: bucketName, Key: key, }); - + // Verify the result expect(result).toEqual({ Body: 'file-content' }); }); From e4277f0ae86e8e8cdb7c92b7e950be49a476ee63 Mon Sep 17 00:00:00 2001 From: GarrettEHill Date: Fri, 11 Oct 2024 15:51:35 -0700 Subject: [PATCH 120/138] Update processData.test.js --- src/tools/processData.test.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/tools/processData.test.js b/src/tools/processData.test.js index 517ffd80a6..dd44f1a051 100644 --- a/src/tools/processData.test.js +++ b/src/tools/processData.test.js @@ -366,7 +366,7 @@ describe('processData', () => { describe('hideUsers', () => { it('transforms user names and emails in the Users table', async () => { - await hideUsers(mockUser.id.toString()); + await hideUsers([mockUser.id]); const transformedMockUser = await User.findOne({ where: { id: mockUser.id } }); expect(transformedMockUser.email).not.toBe(mockUser.email); expect(transformedMockUser.hsesUsername).not.toBe(mockUser.hsesUsername); From e963e04b5cd38217313ba83c22e42829ec31de6e Mon Sep 17 00:00:00 2001 From: GarrettEHill Date: Fri, 11 Oct 2024 16:00:39 -0700 Subject: [PATCH 121/138] only allow mock for tests --- src/lib/s3.test.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/lib/s3.test.js b/src/lib/s3.test.js index a7705fd9ec..d17b0b4291 100644 --- a/src/lib/s3.test.js +++ b/src/lib/s3.test.js @@ -24,7 +24,7 @@ jest.mock('aws-sdk', () => { return { S3: jest.fn(() => mS3) }; }); -const mockS3 = s3 || S3(); +const mockS3 = /*s3 ||*/ S3(); const oldEnv = { ...process.env }; const VCAP_SERVICES = { From 12cfde6859241a3a9034b985a78fc75def9211b1 Mon Sep 17 00:00:00 2001 From: GarrettEHill Date: Fri, 11 Oct 2024 16:03:53 -0700 Subject: [PATCH 122/138] Update s3.test.js --- src/lib/s3.test.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/lib/s3.test.js b/src/lib/s3.test.js index d17b0b4291..cb2240b373 100644 --- a/src/lib/s3.test.js +++ b/src/lib/s3.test.js @@ -24,7 +24,7 @@ jest.mock('aws-sdk', () => { return { S3: jest.fn(() => mS3) }; }); -const mockS3 = /*s3 ||*/ S3(); +const mockS3 = /* s3 || */ S3(); const oldEnv = { ...process.env }; const VCAP_SERVICES = { From c9b73857e38ad69404729d40d39b15fe4b7bbad2 Mon Sep 17 00:00:00 2001 From: GarrettEHill Date: Fri, 11 Oct 2024 21:52:43 -0700 Subject: [PATCH 123/138] Update s3.test.js --- src/lib/s3.test.js | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/src/lib/s3.test.js b/src/lib/s3.test.js index cb2240b373..8372af7bd7 100644 --- a/src/lib/s3.test.js +++ b/src/lib/s3.test.js @@ -155,7 +155,8 @@ describe('S3', () => { }); it('Doesn\'t change things if versioning is enabled', async () => { - const got = await verifyVersioning(undefined, mockS3); + const { bucketName } = generateS3Config(); + const got = await verifyVersioning(bucketName, mockS3); expect(mockGet.mock.calls.length).toBe(1); expect(mockPut.mock.calls.length).toBe(0); expect(got).toBe(mockVersioningData); From 8269b4904b43f205277e8891cd00b9d46cf08c7b Mon Sep 17 00:00:00 2001 From: GarrettEHill Date: Fri, 11 Oct 2024 22:32:24 -0700 Subject: [PATCH 124/138] Update s3.test.js --- src/lib/s3.test.js | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) diff --git a/src/lib/s3.test.js b/src/lib/s3.test.js index 8372af7bd7..3fd67b764d 100644 --- a/src/lib/s3.test.js +++ b/src/lib/s3.test.js @@ -298,12 +298,13 @@ describe('S3', () => { }); it('throws an error if promise rejects', async () => { + const { bucketName } = generateS3Config(); mockS3.deleteObject.mockImplementation( () => ({ promise: () => Promise.reject(anotherFakeError) }), ); - const got = deleteFileFromS3(Key, undefined, mockS3); + const got = deleteFileFromS3(Key, bucketName, mockS3); await expect(got).rejects.toBe(anotherFakeError); - expect(mockS3.deleteObject).toHaveBeenCalledWith({ Bucket, Key }); + expect(mockS3.deleteObject).toHaveBeenCalledWith({ Bucket: bucketName, Key }); }); }); @@ -313,8 +314,8 @@ describe('S3', () => { const anotherFakeError = Error({ statusCode: 500 }); beforeEach(() => { - s3.deleteObject = jest.fn(); - s3.deleteObject.mockImplementation(() => ({ + mockS3.deleteObject = jest.fn(); + mockS3.deleteObject.mockImplementation(() => ({ promise: () => Promise.resolve({ status: 200, data: {} }), })); }); @@ -338,11 +339,11 @@ describe('S3', () => { await expect(got).resolves.toStrictEqual({ status: 200, data: { fileId: 1, fileKey: Key, res: { data: {}, status: 200 } }, }); - expect(s3.deleteObject).toHaveBeenCalledWith({ Bucket, Key }); + expect(mockS3.deleteObject).toHaveBeenCalledWith({ Bucket, Key }); }); it('throws an error if promise rejects', async () => { - s3.deleteObject.mockImplementationOnce( + mockS3.deleteObject.mockImplementationOnce( () => ({ promise: () => Promise.reject(anotherFakeError), }), @@ -350,7 +351,7 @@ describe('S3', () => { const got = deleteFileFromS3Job({ data: { fileId: 1, fileKey: Key, bucket: Bucket } }); await expect(got).resolves.toStrictEqual({ data: { bucket: 'ttadp-test', fileId: 1, fileKey: 'fakeKey' }, res: undefined, status: 500 }); - expect(s3.deleteObject).toHaveBeenCalledWith({ Bucket, Key }); + expect(mockS3.deleteObject).toHaveBeenCalledWith({ Bucket, Key }); }); }); }); From 30b1109eeca33438454cb325350fe833131a69cb Mon Sep 17 00:00:00 2001 From: GarrettEHill Date: Mon, 14 Oct 2024 14:04:17 -0700 Subject: [PATCH 125/138] try this --- src/lib/s3.js | 12 ++++++------ src/lib/s3.test.js | 5 +++-- 2 files changed, 9 insertions(+), 8 deletions(-) diff --git a/src/lib/s3.js b/src/lib/s3.js index 1431056c88..bc4332ad77 100644 --- a/src/lib/s3.js +++ b/src/lib/s3.js @@ -101,12 +101,12 @@ const verifyVersioning = async (bucket = bucketName, s3Client = s3) => { return data; }; -const downloadFile = (key, s3Client = s3) => { - if (!s3Client || !bucketName) { +const downloadFile = (key, s3Client = s3, Bucket = bucketName, ) => { + if (!s3Client || !Bucket) { throw new Error('S3 is not configured.'); } const params = { - Bucket: bucketName, + Bucket, Key: key, }; return s3Client.getObject(params).promise(); @@ -131,13 +131,13 @@ const getPresignedURL = (Key, Bucket = bucketName, s3Client = s3, Expires = 360) return url; }; -const uploadFile = async (buffer, name, type, s3Client = s3) => { - if (!s3Client || !bucketName) { +const uploadFile = async (buffer, name, type, s3Client = s3, Bucket = bucketName) => { + if (!s3Client || !Bucket) { throw new Error('S3 is not configured.'); } const params = { Body: buffer, - Bucket: bucketName, + Bucket, ContentType: type.mime, Key: name, }; diff --git a/src/lib/s3.test.js b/src/lib/s3.test.js index 3fd67b764d..1893a27896 100644 --- a/src/lib/s3.test.js +++ b/src/lib/s3.test.js @@ -205,8 +205,9 @@ describe('S3', () => { }); it('Correctly Uploads the file and checks versioning', async () => { + const { bucketName } = generateS3Config(); process.env.NODE_ENV = 'production'; - const got = await uploadFile(buf, name, goodType, mockS3); + const got = await uploadFile(buf, name, goodType, mockS3, bucketName); expect(mockGet.mock.calls.length).toBe(1); expect(got).toBe(response); }); @@ -227,7 +228,7 @@ describe('S3', () => { mockS3.getObject.mockImplementation(() => mockS3); // Call the function - const result = await downloadFile(key, mockS3); + const result = await downloadFile(key, mockS3, bucketName); // Verify getObject was called with the right parameters expect(mockS3.getObject).toHaveBeenCalledWith({ From 32ec01e09bebc9121c84d7dc07a4b0306d657c03 Mon Sep 17 00:00:00 2001 From: GarrettEHill Date: Mon, 14 Oct 2024 14:11:16 -0700 Subject: [PATCH 126/138] Update s3.js --- src/lib/s3.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/lib/s3.js b/src/lib/s3.js index bc4332ad77..c686262785 100644 --- a/src/lib/s3.js +++ b/src/lib/s3.js @@ -101,7 +101,7 @@ const verifyVersioning = async (bucket = bucketName, s3Client = s3) => { return data; }; -const downloadFile = (key, s3Client = s3, Bucket = bucketName, ) => { +const downloadFile = (key, s3Client = s3, Bucket = bucketName) => { if (!s3Client || !Bucket) { throw new Error('S3 is not configured.'); } From f5598e3b0356243a82c0372a0c59234e2545cc42 Mon Sep 17 00:00:00 2001 From: GarrettEHill Date: Mon, 14 Oct 2024 14:40:30 -0700 Subject: [PATCH 127/138] Update s3.test.js --- src/lib/s3.test.js | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/src/lib/s3.test.js b/src/lib/s3.test.js index 1893a27896..779226dcca 100644 --- a/src/lib/s3.test.js +++ b/src/lib/s3.test.js @@ -336,11 +336,12 @@ describe('S3', () => { }); it('calls deleteFileFromS3Job() with correct parameters', async () => { - const got = deleteFileFromS3Job({ data: { fileId: 1, fileKey: Key, bucket: Bucket } }); + const { bucketName } = generateS3Config(); + const got = deleteFileFromS3Job({ data: { fileId: 1, fileKey: Key, bucket: bucketName } }, mockS3); await expect(got).resolves.toStrictEqual({ status: 200, data: { fileId: 1, fileKey: Key, res: { data: {}, status: 200 } }, }); - expect(mockS3.deleteObject).toHaveBeenCalledWith({ Bucket, Key }); + expect(mockS3.deleteObject).toHaveBeenCalledWith({ Bucket: bucketName, Key }); }); it('throws an error if promise rejects', async () => { From 586cdcae9d98c32d6476e413fbe3541544700d72 Mon Sep 17 00:00:00 2001 From: GarrettEHill Date: Mon, 14 Oct 2024 14:55:06 -0700 Subject: [PATCH 128/138] Update s3.test.js --- src/lib/s3.test.js | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/src/lib/s3.test.js b/src/lib/s3.test.js index 779226dcca..8742b019a1 100644 --- a/src/lib/s3.test.js +++ b/src/lib/s3.test.js @@ -337,7 +337,10 @@ describe('S3', () => { it('calls deleteFileFromS3Job() with correct parameters', async () => { const { bucketName } = generateS3Config(); - const got = deleteFileFromS3Job({ data: { fileId: 1, fileKey: Key, bucket: bucketName } }, mockS3); + const got = deleteFileFromS3Job( + { data: { fileId: 1, fileKey: Key, bucket: bucketName } }, + mockS3, + ); await expect(got).resolves.toStrictEqual({ status: 200, data: { fileId: 1, fileKey: Key, res: { data: {}, status: 200 } }, }); From ca911b007e5acb45ef08dc794629306952f82959 Mon Sep 17 00:00:00 2001 From: GarrettEHill Date: Mon, 14 Oct 2024 15:15:18 -0700 Subject: [PATCH 129/138] Update s3.test.js --- src/lib/s3.test.js | 14 +++++++++++--- 1 file changed, 11 insertions(+), 3 deletions(-) diff --git a/src/lib/s3.test.js b/src/lib/s3.test.js index 8742b019a1..a1b12c97bc 100644 --- a/src/lib/s3.test.js +++ b/src/lib/s3.test.js @@ -348,15 +348,23 @@ describe('S3', () => { }); it('throws an error if promise rejects', async () => { + const { bucketName } = generateS3Config(); mockS3.deleteObject.mockImplementationOnce( () => ({ promise: () => Promise.reject(anotherFakeError), }), ); - const got = deleteFileFromS3Job({ data: { fileId: 1, fileKey: Key, bucket: Bucket } }); - await expect(got).resolves.toStrictEqual({ data: { bucket: 'ttadp-test', fileId: 1, fileKey: 'fakeKey' }, res: undefined, status: 500 }); - expect(mockS3.deleteObject).toHaveBeenCalledWith({ Bucket, Key }); + const got = deleteFileFromS3Job( + { data: { fileId: 1, fileKey: Key, bucket: bucketName } }, + mockS3, + ); + await expect(got).resolves.toStrictEqual({ + data: { bucket: bucketName, fileId: 1, fileKey: 'fakeKey' }, + res: undefined, + status: 500, + }); + expect(mockS3.deleteObject).toHaveBeenCalledWith({ Bucket: bucketName, Key }); }); }); }); From f61ce34dca8bacff214387f2dbd79f7d56319945 Mon Sep 17 00:00:00 2001 From: GarrettEHill Date: Mon, 14 Oct 2024 15:50:00 -0700 Subject: [PATCH 130/138] Update s3.test.js --- src/lib/s3.test.js | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/src/lib/s3.test.js b/src/lib/s3.test.js index a1b12c97bc..10c26e5835 100644 --- a/src/lib/s3.test.js +++ b/src/lib/s3.test.js @@ -199,6 +199,10 @@ describe('S3', () => { afterAll(() => { process.env = oldEnv; }); + + afterEach(() => { + jest.resetAllMocks(); + }); it('throws an error if S3 is not configured', async () => { await expect(uploadFile(buf, name, goodType, null)).rejects.toThrow('S3 is not configured.'); From 44c724af81a233e5a90b553096cfbbcb5d0d2356 Mon Sep 17 00:00:00 2001 From: GarrettEHill Date: Mon, 14 Oct 2024 16:03:53 -0700 Subject: [PATCH 131/138] Update s3.test.js --- src/lib/s3.test.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/lib/s3.test.js b/src/lib/s3.test.js index 10c26e5835..9a1fe582cd 100644 --- a/src/lib/s3.test.js +++ b/src/lib/s3.test.js @@ -199,7 +199,7 @@ describe('S3', () => { afterAll(() => { process.env = oldEnv; }); - + afterEach(() => { jest.resetAllMocks(); }); From af0ba2d1e4d0815a4d9dc994eeb7b8329b1c8e62 Mon Sep 17 00:00:00 2001 From: GarrettEHill Date: Mon, 14 Oct 2024 23:37:52 -0700 Subject: [PATCH 132/138] Update s3.js --- src/lib/s3.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/lib/s3.js b/src/lib/s3.js index c686262785..6e06c7b634 100644 --- a/src/lib/s3.js +++ b/src/lib/s3.js @@ -143,7 +143,7 @@ const uploadFile = async (buffer, name, type, s3Client = s3, Bucket = bucketName }; // Only check for versioning if not using Minio if (process.env.NODE_ENV === 'production') { - await verifyVersioning(); + await verifyVersioning(Bucket, s3Client); } return s3Client.upload(params).promise(); From 73ec01b64d26aac118ec588540f0eb9ba392ab62 Mon Sep 17 00:00:00 2001 From: GarrettEHill Date: Tue, 15 Oct 2024 11:32:17 -0700 Subject: [PATCH 133/138] Update cf_lambda.sh --- automation/ci/scripts/cf_lambda.sh | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/automation/ci/scripts/cf_lambda.sh b/automation/ci/scripts/cf_lambda.sh index 85deefbf3f..1233b197ba 100644 --- a/automation/ci/scripts/cf_lambda.sh +++ b/automation/ci/scripts/cf_lambda.sh @@ -433,6 +433,7 @@ function start_app { log "INFO" "Starting application '$app_name'..." if ! cf start "$app_name"; then log "ERROR" "Failed to start application '$app_name'." + stop_app exit 1 else log "INFO" "Application '$app_name' started successfully." @@ -646,7 +647,7 @@ main() { log "INFO" "Task execution succeeded." else log "ERROR" "Task execution failed." - stop_app "tta-automation" + stop_app exit 1 fi From e4f604f0000bd3867add73340da0802da3310e6e Mon Sep 17 00:00:00 2001 From: GarrettEHill Date: Tue, 15 Oct 2024 13:46:59 -0700 Subject: [PATCH 134/138] e2e --- .circleci/config.yml | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/.circleci/config.yml b/.circleci/config.yml index 2adcc613f3..42af3bffd4 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -1405,6 +1405,7 @@ workflows: - equal: [false, << pipeline.parameters.manual-restore >>] - equal: [false, << pipeline.parameters.manual-process >>] - equal: [false, << pipeline.parameters.manual-backup >>] + - equal: [false, << pipeline.parameters.manual-full-process >>] jobs: - build_and_lint - build_and_lint_similarity_api @@ -1536,3 +1537,17 @@ workflows: equal: [true, << pipeline.parameters.manual-backup >>] jobs: - process_backup + manual_production_to_processed: + when: + equal: [true, << pipeline.parameters.manual-full-process >>] + jobs: + - backup_upload_production + - restore_production_for_processing: + requires: + - backup_upload_production + - process_production: + requires: + - restore_production_for_processing + - process_backup: + requires: + - process_production From 0190c3d3f75cc8e44ccc9248b428efd8e724d9c1 Mon Sep 17 00:00:00 2001 From: GarrettEHill Date: Tue, 15 Oct 2024 13:48:49 -0700 Subject: [PATCH 135/138] Update config.yml --- .circleci/config.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.circleci/config.yml b/.circleci/config.yml index 42af3bffd4..57bd0ba495 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -678,6 +678,9 @@ parameters: manual-backup: type: boolean default: false + manual-full-process: + type: boolean + default: false jobs: build_and_lint: executor: docker-executor From 09979babd6485fd6adf7b0f10bc036adeb56156d Mon Sep 17 00:00:00 2001 From: GarrettEHill Date: Tue, 15 Oct 2024 15:36:03 -0700 Subject: [PATCH 136/138] Update process.yml --- automation/configs/process.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/automation/configs/process.yml b/automation/configs/process.yml index a0136917e2..4732c4aae5 100644 --- a/automation/configs/process.yml +++ b/automation/configs/process.yml @@ -1,6 +1,6 @@ instances: 1 -memory: 512 MB -disk_quota: 1GB +memory: 512M +disk_quota: 1G buildpack: "https://github.com/cloudfoundry/nodejs-buildpack" command: "./automation/cf/scripts/idol.sh" From 695de266de4324973d836eaa48f9c23962d35290 Mon Sep 17 00:00:00 2001 From: GarrettEHill Date: Tue, 15 Oct 2024 17:11:32 -0700 Subject: [PATCH 137/138] Update dynamic-manifest.yml --- automation/dynamic-manifest.yml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/automation/dynamic-manifest.yml b/automation/dynamic-manifest.yml index 89f0358152..77a5cd6952 100644 --- a/automation/dynamic-manifest.yml +++ b/automation/dynamic-manifest.yml @@ -2,7 +2,6 @@ applications: - name: tta-automation stack: cflinuxfs4 - health-check-type: process memory: ((memory)) disk_quota: ((disk_quota)) instances: ((instances)) @@ -11,3 +10,7 @@ applications: - ((buildpack)) command: ((command)) services: ((bound_services)) + processes: + - type: web # Explicitly define only the web process + instances: ((instances)) # Number of instances for the web process + memory: ((memory)) # Memory allocation for the web process From cebfade467b4142a23d788bd39a1bab61baa5cf2 Mon Sep 17 00:00:00 2001 From: GarrettEHill Date: Tue, 15 Oct 2024 17:19:40 -0700 Subject: [PATCH 138/138] Update cf_lambda.sh --- automation/ci/scripts/cf_lambda.sh | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/automation/ci/scripts/cf_lambda.sh b/automation/ci/scripts/cf_lambda.sh index 1233b197ba..76480c473e 100644 --- a/automation/ci/scripts/cf_lambda.sh +++ b/automation/ci/scripts/cf_lambda.sh @@ -422,6 +422,21 @@ function push_app { log "INFO" "Application pushed successfully." fi + # Wait until the instance is running + while true; do + # Get the current status of the app instance + INSTANCE_STATUS=$(cf app tta-automation | grep "state" | awk '{print $2}') + + # Check if the instance is in the "running" state + if [ "$INSTANCE_STATUS" = "running" ]; then + log "INFO" "App instance is running. App is ready." + break + else + log "INFO" "Current status: $INSTANCE_STATUS. Waiting for the app instance to be running..." + sleep 5 + fi + done + # Restore original directory cd "$original_dir" }