Upgrade micromatch to avoid security vulnerability

[ehmicky]

[Feature request] Upgrade dependency

Jest including some of its sub-packages like jest-message-utils depend on micromatch version 2.3.11, which itself depends on braces version 1.8.5.

That version of braces has a RegExp vulnerability. This causes Jest and some of its sub-packages to be reporter by vulnerabilities tools like Snyk.

Upgrade all the packages that depend on micromatch to the latest version would solve that issue.

[thymikee]

Isn't the security update within semver range? If so, simply installing Jest once again should solve the issue.

[ehmicky]

The dependency is currently micromatch@^2.3.11 which should resolve to 2.3.11 (the last version in 2.*.*). micromatch 2.3.11 depends on braces@^1.8.2 which resolves to 1.8.5.

This is also why Snyk is reporting a vulnerability.

Please correct if I'm wrong or I missed something.

[thymikee]

Oh, we need to update to micromatch 3 then

[ehmicky]

Yes, sorry should have made that clearer.

[wtgtybhertgeghgtwtg]

If I'm remembering right, both jest and babel use micromatch@2 because micromatch@3 has a transitive dependency that doesn't bundle correctly. So this can't be fixed until micromatch/micromatch#122 get done.

[SimenB]

Correct, we're blocked on the bundling issue I've reported.

We might want to switch out rollup if it unblocks us

[JoshuaKGoldberg]

....and micromatch@3 breaks Windows. #6546

[SimenB]

@JoshuaKGoldberg see #6650

[github-actions]

This issue has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.
Please note this issue tracker is not a help forum. We recommend using StackOverflow or our discord channel for questions.