Shrinkwrap is forcing insecure dependencies

[isaacs]

Describe the bug

Because this module ships with a shrinkwrap, it is impossible to avoid using the insecure braces@3.0.2, even using overrides.

Please either keep all dependencies up to date with security advisories, or remove the shrinkwrap from the deployment so that we can get security updates.

Steps to reproduce

• npm install netlify-cli
• npm audit

Observe that braces@3.0.2 is present in the tree, and cannot be overridden, due to the npm-shrinkwrap.json

Configuration

Not relevant.

Environment

System:
OS: macOS 14.5
CPU: (16) arm64 Apple M3 Max
Memory: 14.46 GB / 128.00 GB
Shell: 5.2.0 - /usr/local/bin/bash
Binaries:
Node: 20.13.1 - /usr/local/bin/node
Yarn: 1.22.18 - /usr/local/bin/yarn
npm: 10.7.0 - /usr/local/bin/npm
pnpm: 9.2.0 - /usr/local/bin/pnpm
bun: 1.1.6 - ~/bin/bun
npmPackages:
netlify-cli: ^17.29.0 => 17.29.0

[merlyn-at-netlify]

Thanks, @isaacs. For context the impact is not very severe given the context that Netlify CLI runs in:

Affected versions of this package are vulnerable to Uncontrolled resource consumption due improper limitation of the number of characters it can handle, through the parse function. An attacker can cause the application to allocate excessive memory and potentially crash by sending imbalanced braces as input.

From: https://security.snyk.io/package/npm/braces/3.0.2

[isaacs]

Yeah, it's more annoying than actually hazardous, for sure. But such is life in a world that incentivizes getting your name on a CVE more than it does the subtle nuance of actual security.

[G-Rath]

Related:

• Latest version of cli is pulling in insecure packages that have available patches #6508
• Impossible to update braces to ^3.0.3 #6739
• chore(deps): bump braces from 3.0.2 to 3.0.3 #6704
• [BUG] npm won't update to higher version of package allowed by constraints, preventing security patching npm/cli#7356

I'd really love to see the shrinkwrapping go, as it makes our live a lot harder and would let me make a very solid case for moving us off Vercel as they pin their direct dependencies while also remaining very behind the ball

[G-Rath]

there's now a new micromatch vulnerability that we cannot update due to the shrinkwrap: GHSA-952p-6rrq-rcjv

cc @sarahetter