ReDOS on micromatch/braces (reported on Feb 15th 2019)

[ranand]

🐛 Bug Report

I have been noticing https://nodesecurity.io/advisories/786 warnings since yesterday. It looks like braces project had an update (micromatch/braces@abdafb0) to fix the ReDOS issue as well. Is there any chance Jest will update micromatch/braces to fix these warnings?

To Reproduce

135 vulnerabilities found - Packages audited: 52247
Severity: 135 Low
✨  Done in 1.58s.

Screenshot from terminal:

Expected behavior

• yarn audit does not report any issues related to https://nodesecurity.io/advisories/786.

Link to repl or repo (highly encouraged)

See above.
braces fix link: micromatch/braces@abdafb0

Run npx envinfo --preset jest

  System:
    OS: macOS 10.14.2
    CPU: (8) x64 Intel(R) Core(TM) i7-8559U CPU @ 2.70GHz
  Binaries:
    Node: 11.6.0 - ~/.nvm/versions/node/v11.6.0/bin/node
    Yarn: 1.13.0 - /usr/local/bin/yarn
    npm: 6.8.0 - ~/.nvm/versions/node/v11.6.0/bin/npm
  npmPackages:
    jest: ^23.6.0 => 23.6.0

[SimenB]

We've upgraded in Jest 24. We won't be releasing a patch for 23 unless there's a huge demand

[sorahn]

create-react-app/react-scripts uses Jest 23 :(

[kaiyoma]

I'd like to see a patch for Jest 23. Jest 24 has async/timeout issues that prevent us from upgrading.

[SimenB]

Upgrading micromatch is a breaking change (we tried and had to revert: #6661), so I don't think it's possible to upgrade 23.

Jest 24 has async/timeout issues that prevent us from upgrading.

We haven't changed anything about that (afaik), sounds like a bug

[kaiyoma]

Okay, thanks for trying! We'll just have to pin what version of braces we use in our project.

As for Jest 24, upgrading has resulted in lots of issues for us. Unit tests that have been reliable for months or years now time out randomly. When I first found this (February 7th), I glanced at the Jest issues that were recently opened and these looked similar:

#7815
#7817

There may be other GitHub issues at this point that better describe the problem (I haven't looked lately). We're considering Jest 24 DOA and sticking with version 23 for now.

[jaredbeck]

Just FYI, the rails community is also stuck on jest 23 for now, because jest 24 drops support for babel 6 and we're still using babel 6, but not for much longer.

[thymikee]

You can use jest 24 with babel 6 but you'll still need a bridge and babel-jest 23 to work properly. I think we have it documented in babel configuration docs on our website

[jaredbeck]

You can use jest 24 with babel 6 but you'll still need a bridge and babel-jest 23 to work properly. I think we have it documented in babel configuration docs on our website

Thanks! I found this (https://jestjs.io/docs/en/getting-started.html#babel-6) but what is a "bridge"?

[thymikee]

I meant babel-core@7.0.0-brige.0 (a helper package from 6 to 7), but looks like it's not necessary :)