Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Bump micromatch to 4.0.6 #96

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Conversation

nilsel
Copy link

@nilsel nilsel commented Aug 1, 2024

Stumbled across this on a react-project: [email protected] has a bug: CVE-2024-4068 which could lead to OOM errors (apparently not easy to trigger, but I managed to do it somehow). [email protected] was used in [email protected].

Couldn't find any mentions of either micromatch or braces in issues/PR's.

This was pretty deep down in our monorepo dependency graph 😅 :

➜  storeblocks git:(main) npm ls braces 
storybook@ /Users/me/some-dir/storeblocks
├─┬ [email protected]
│ └─┬ [email protected]
│   └── [email protected]
└─┬ [email protected]
  └─┬ [email protected]
    └─┬ [email protected]
      └── [email protected] deduped

Error trace (snipped):

✖  nx run @storeblocks/table:lint
      Linting "@storeblocks/table"...
      <--- Last few GCs --->
      [31879:0x148008000]    29784 ms: Mark-Compact 4042.9 (4138.1) -> 4033.1 (4141.6) MB, pooled: 2 MB, 1509.42 / 0.00 ms  (average mu = 0.303, current mu = 0.011) allocation failure; scavenge might not succeed
      <--- JS stacktrace --->
      FATAL ERROR: Reached heap limit Allocation failed - JavaScript heap out of memory

[email protected] commit which updated braces to 3.0.3: micromatch/micromatch@92d490d

I'm no expert on react-docgen-typescript-plugin (or TS in general), so if I'm wrong you may just close this. Also I'm not sure if @types/micromatch should be updated also.

Anyhow, thanks for creating and open sourcing this package ❤️

@nilsel
Copy link
Author

nilsel commented Aug 1, 2024

Sorry, I may have been too eager on this one, after deleting package-lock.json and running npm i react-docgen-typescript-plugin@latest (we had ^1.0.5 in package.json), @latest got us to ^1.0.8, which in turn installed [email protected].
Something something lockfile 😅 🤦

storybook@ /Users/me/some-dir/storeblocks
├─┬ [email protected]
│ └─┬ [email protected]
│   └── [email protected]
└─┬ [email protected]
  └─┬ [email protected]
    └─┬ [email protected]
      └── [email protected] deduped

Versions/tools used (nx report):

Node           : 20.14.0
OS             : darwin-arm64
Native Target  : aarch64-macos
npm            : 10.7.0

nx          : 19.5.4
lerna       : 8.1.7
@nx/devkit  : 19.5.4
@nrwl/tao   : 19.5.4
typescript  : 5.0.4

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

1 participant