braces: please read!

[jonschlinkert]

Do not create issues related to braces

TLDR; Delete all lock files, then reinstall. This was fixed a long time ago. If you're still not sure what to do, please don't comment here, you will find more information and support by searching Google and StackOverflow.

1. braces was fixed ages ago, within a day or two of the report being created
2. Semver makes this really simple. Patch the root library once, and all downstream libraries get the patch. Thus, any library that depends on braces will automatically get the patched version by simply reinstalling. If you are not getting the latest version, you are probably using a lockfile that is preventing semver from doing its job.
3. Don't create issues on dependent libraries when you see a vulnerability message. ALWAYS, AND ONLY create issues on the library that has the vulnerability so that it can be patched. ONLY WHEN AND IF that library has not been fixed in a timely manner does it make sense to create issue on dependent libraries.

More info here

[Glazy]

I was just about to come and close my issue as I realised this but you beat me to it! Thanks for the explanation and apologies for the spam issue 👍

[jonschlinkert]

Lol, I think I've closed at least 20 braces issues in the past week. No worries, I know no one is doing it intentionally.

[dcruceanu]

And if you were wondering why, that's because no one did explained CLEAR what we should do to fix that. I will use semver, ok, thanks... But I had just added it through npm add received the same error ....

[vaishnavravi33]

Hi,

Greetings!

Dependency on insecure version of braces.

I am currently learning the electron and when i used the "npm install" command to install packages.
While installing packages it show warning " Some vulnerabilities require your attention to resolve ".

I think electron is using use "check-for-leaks" and dependencies of packages is show below:

check-for-leaks > anymatch > micromatch > braces

So, request to update the micromatch dependency on braces version 1.8.5 to braces version >= 2.3.1.

for more info https://nodesecurity.io/advisories/786

If anyone have idea about the resolution of the issue with "check-for-leaks" with electron then please guide.

[MobileVet]

@jonschlinkert Sorry to hear you are getting bombarded about the issue with braces.

You mention

Patch the root library once, and all downstream libraries get the patch.

What is your best practice for patching root libraries?

I tried to use patch-package but it came back and said that there wasn't any changes so it didn't create a patch. I also looked into adjusting the package-lock.json file and using npm ci but that isn't currently supported by Heroku so it doesn't appear to be a solid solution.

[phated]

@G-Rath the way you solve this issue is not to try to backport breaking changes (as indicated by the semver major increase) into an older semver version, because that isn't possible when following semver. You need to update the effected library that is using outdated dependencies, remove it from your dependency chain, or (my recommended solution) don't just blindly try to remove npm audit reports because the braces issue doesn't effect development tooling.