Skip to content

Commit

Permalink
optimize regex
Browse files Browse the repository at this point in the history
jonschlinkert committed Feb 16, 2018
1 parent 3793414 commit abdafb0
Showing 1 changed file with 1 addition and 1 deletion.
2 changes: 1 addition & 1 deletion lib/parsers.js
Original file line number Diff line number Diff line change
@@ -127,7 +127,7 @@ module.exports = function(braces, options) {
.set('multiplier', function() {
var isInside = this.isInside('brace');
var pos = this.position();
var m = this.match(/^\{(,+(?:(\{,+\})*),*|,*(?:(\{,+\})*),+)\}/);
var m = this.match(/^\{((?:,|\{,+\})+)\}/);
if (!m) return;

this.multiplier = true;

8 comments on commit abdafb0

@sathish-spidie
Copy link

@sathish-spidie sathish-spidie commented on abdafb0 Apr 18, 2019

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

can you explain, how to achieve this? I'm a low-level developer and didn't understand why this code stands for and what to do with it! sorry if I waste your time by making you read this comment, in case you find this comment useless.

my error is

` Low Regular Expression Denial of Service

Package braces

Patched in >=2.3.1

Dependency of browser-sync [dev]

Path browser-sync > micromatch > braces

More info https://npmjs.com/advisories/786 `

@kousu
Copy link

@kousu kousu commented on abdafb0 Apr 18, 2019

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@sathish-spidie , you can find out the solution on the link there: https://npmjs.com/advisories/786:

Remediation

Upgrade to version 2.3.1 or higher.

What this means is that in your package.json you should make sure the line for "braces" under "dependencies" says

"braces": "^2.3.1",

and then delete your cached npm packages by

rm -r node_modules/ package-lock.json

and then

npm install

If you don't directly depend on "braces", which is the situation I am in, you can use

npm list

to figure out which of your packages is depending on "braces", and then go make sure to update each of those packages in the same way: version bump them, make sure to prefix the versions of everything with "^", and then delete your packages and regenerate package-lock.json by redoing npm install; that will get the latest, hopefully bugfixed, versions of all your packages; but if any of your packages have not yet updated to use "braces": "^2.3.1" then you will have to go to their github projects and file an issue.


A comment on a commit inside the braces project isn't really a proper general support forum for npm. For that, and for future questions, you will probably have good luck asking at https://npm.community/c/support. I hope the above helps and lets you extend your developer skills.

@jonschlinkert
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@kousu that was a fantastic description, and a really good summary of the steps that need to be taken. Thank you!

you will probably have good luck asking at https://npm.community/c/support. I hope the above helps and lets you extend your developer skills.

Only one thing I'd like to point out. Generally, https://npm.community/c/support is for NPM support, not for packages like this one. Meaning, if you need something directly related to the package manager itself, that's the place to go. But ideally, when a user has an issue or support question like this, the best place to get answers is to:

  1. read through previous issues first - @sathish-spidie would have seen that this question has been answered a couple of dozen times already on this project and other projects that depend on this one
  2. StackOverflow - people get reputation points for helping others
  3. if it seems like no one has addressed the issue already, and you have genuinely stumbled across a previously undiscovered bug, then create a new issue on the GitHub repository of the code project.

@KevinGrant12
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hello, I have the same exact issue that stems from babel.
I was unable to run this line rm -r node_modules/ package-lock.json and it makes sense because the packag-lock is not inside the node_modules directory.
When I run npm list I can see that instances of 'braces' are at 2.3.2.

Any thoughts on how to fix?
Thanks!

@biggianteye
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I was unable to run this line rm -r node_modules/ package-lock.json and it makes sense because the packag-lock is not inside the node_modules directory.

There is a space between node_modules and package-lock.json. The lock file is not inside the node_modules folder. It's at the same level.

@robpl1
Copy link

@robpl1 robpl1 commented on abdafb0 Jul 14, 2019

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The problem I have here is that the braces package itself is showing
{ "_from": "braces@^1.8.2",
"_id": "braces@1.8.5",

So how to update that would help.

@martynawilkonska
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I have the same problem. I am unable to update braces, after reinstall they are still 1.8.5.

@janzenz
Copy link

@janzenz janzenz commented on abdafb0 Oct 8, 2019

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@martynawilkonska have you removed your node_modules cache and package-lock.json file? If not, try that and npm install again. If it still does that, my next hunch is that you're braces is a transitive dependency in your package. Try npm ls braces and see which package requires it and maybe you can try and upgrade that parent package which potentially will fix your problem.

Please sign in to comment.