High vulnerability in 'braces' dependency

[apptio-mrejdych]

Hey Team
Snyk found high vulnerability in your package connected to 'braces' dependency

https://security.snyk.io/vuln/SNYK-JS-BRACES-6838727
https://www.cve.org/CVERecord?id=CVE-2024-4068

Is there any chance to fix it?

[gagadzq]

I encountered the same problem. Maybe Braces team is working on resolving this issue. Refer to micromatch/braces#36

[paulmillr]

1. It is not a real vulnerability. It is another shit that got cve [BUG] Vulnerabilities Found in Micromatch and Braces #243
2. CVE rating 7.5 is nonsense. More like 2.5
3. They can’t even produce a working ezploit
4. There are no other packages to switch. They are either esm only, or very slow, or potentially dangerous with unknown maintainers

[Experimental-products]

If anyone is hoping to release software without any knownvulnerabilities this is a problem, however we judge the severity ourselves. The problem exists, colleagues/coworkers/clients/customers of us all will likely be put off by this issue as more and more security tools flag this issue.

As the screenshot below indicates, "braces" has not had any updates in 5 years, so maybe micromatch can look at switching to an alternative that is better maintained?

[paulmillr]

micromatch is made by braces founders...

[paulmillr]

anyways will close it since braces fix is in and we just need to release it. micromatch will autofetch the update.