Jest: ReDOS on micromatch/braces (reported on Feb 15th 2019)
🐛 Bug Report
I have been noticing https://nodesecurity.io/advisories/786 warnings since yesterday. It looks like braces project had an update (https://github.com/micromatch/braces/commit/abdafb0cae1e0c00f184abbadc692f4eaa98f451) to fix the ReDOS issue as well. Is there any chance Jest will update micromatch/braces to fix these warnings?
To Reproduce
135 vulnerabilities found - Packages audited: 52247
Severity: 135 Low
✨ Done in 1.58s.
Screenshot from terminal:
Expected behavior
yarn auditdoes not report any issues related to https://nodesecurity.io/advisories/786.
Link to repl or repo (highly encouraged)
See above.
braces fix link: https://github.com/micromatch/braces/commit/abdafb0cae1e0c00f184abbadc692f4eaa98f451
Run npx envinfo --preset jest
System:
OS: macOS 10.14.2
CPU: (8) x64 Intel(R) Core(TM) i7-8559U CPU @ 2.70GHz
Binaries:
Node: 11.6.0 - ~/.nvm/versions/node/v11.6.0/bin/node
Yarn: 1.13.0 - /usr/local/bin/yarn
npm: 6.8.0 - ~/.nvm/versions/node/v11.6.0/bin/npm
npmPackages:
jest: ^23.6.0 => 23.6.0
ranand
All 10 comments
We've upgraded in Jest 24. We won't be releasing a patch for 23 unless there's a huge demand
SimenB
on 17 Feb 2019
create-react-app/react-scripts uses Jest 23 :(
sorahn
on 17 Feb 2019
I'd like to see a patch for Jest 23. Jest 24 has async/timeout issues that prevent us from upgrading.
kaiyoma
on 19 Feb 2019
Upgrading micromatch is a breaking change (we tried and had to revert: #6661), so I don't think it's possible to upgrade 23.
Jest 24 has async/timeout issues that prevent us from upgrading.
We haven't changed anything about that (afaik), sounds like a bug
SimenB
on 19 Feb 2019
Okay, thanks for trying! We'll just have to pin what version of braces we use in our project.
As for Jest 24, upgrading has resulted in lots of issues for us. Unit tests that have been reliable for months or years now time out randomly. When I first found this (February 7th), I glanced at the Jest issues that were recently opened and these looked similar:
https://github.com/facebook/jest/issues/7815
https://github.com/facebook/jest/issues/7817
There may be other GitHub issues at this point that better describe the problem (I haven't looked lately). We're considering Jest 24 DOA and sticking with version 23 for now.
kaiyoma
on 19 Feb 2019
Just FYI, the rails community is also stuck on jest 23 for now, because jest 24 drops support for babel 6 and we're still using babel 6, but not for much longer.
jaredbeck
on 20 Feb 2019
You can use jest 24 with babel 6 but you'll still need a bridge and babel-jest 23 to work properly. I think we have it documented in babel configuration docs on our website
thymikee
on 20 Feb 2019
You can use jest 24 with babel 6 but you'll still need a bridge and babel-jest 23 to work properly. I think we have it documented in babel configuration docs on our website
Thanks! I found this (https://jestjs.io/docs/en/getting-started.html#babel-6) but what is a "bridge"?
jaredbeck
on 20 Feb 2019
I meant [email protected] (a helper package from 6 to 7), but looks like it's not necessary :)
thymikee
on 20 Feb 2019
You just need the bridge if you want to use babel 7 with jest 22/23, not babel 6.
SimenB
on 20 Feb 2019
Related issues
ticky
·
3Comments
StephanBijzitter
·
3Comments
withinboredom
·
3Comments
kgowru
·
3Comments
benmccormick
·
3Comments
Most helpful comment
We've upgraded in Jest 24. We won't be releasing a patch for 23 unless there's a huge demand