Security: Vulnerable dependency 'braces' needs update to resolve CVE-2024-4068

**the bug**  
The current version of react-simple-chatbot (0.6.1) includes a security vulnerability through transitive dependencies that use an older version of 'braces' (< 3.0.3), identified as CVE-2024-4068. This vulnerability allows potential DoS attacks through uncontrolled resource consumption.

**To Reproduce**  
Steps to reproduce the behavior:
1. Install react-simple-chatbot@0.6.1
2. Run `npm audit` or check GitHub's Dependabot alerts
3. Observe the vulnerability warning for 'braces' through:
   - chokidar@2.1.8 (requires braces@^2.3.2)
   - micromatch@3.1.10 (requires braces@^2.3.1)

**Expected behavior**  
Dependencies should use braces >= 3.0.3 to prevent the vulnerability (CVE-2024-4068).

**Additional context**  
- CVE: CVE-2024-4068
- Advisory: GHSA-grv7-fg5c-xmjg
- The vulnerability cannot be fixed by end users due to explicit version requirements from transitive dependencies
- Fix requires updating the dependencies in react-simple-chatbot to use newer versions of chokidar and micromatch that support braces >= 3.0.3

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Security: Vulnerable dependency 'braces' needs update to resolve CVE-2024-4068 #387

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

Security: Vulnerable dependency 'braces' needs update to resolve CVE-2024-4068 #387

Description

Metadata

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

Issue actions