"braces" dependency vulnerable to "Uncontrolled resource consumption" CVE

[patrick-laa]

sass depends on chokidar which depends on braces and as of today (13 May) there's an unpatched CVE https://www.cve.org/CVERecord?id=CVE-2024-4068 meaning that sass is flagged up as problematic by automated scanners such as Snyk.

Just flagging this up - I don't know how likely to be fixed imminently this is, as the initial thread suggests this was first disclosed in September.

[ntkme]

sass npm package is NOT vulnerable.

Please do not blindly trust the nearly useless automated scanners as they only do version checks and never check if an exploitable code path really exists.

Here is why it is not affected:

dart-sass/lib/src/io/js.dart

Line 256 in 372f15c

path, ChokidarOptions(disableGlobbing: true, usePolling: poll));

sass sets disableGlobbing: true, in chokidar it will create a WatchHelper with path === watchPath:

https://github.com/paulmillr/chokidar/blob/7c50e25d10a497ce4409f6e52eb630f0d7647b97/index.js#L792-L797

The hasGlob attribute is set to false:

https://github.com/paulmillr/chokidar/blob/7c50e25d10a497ce4409f6e52eb630f0d7647b97/index.js#L210

When hasGlob is false, getDirParts, the only function that uses braces, returns early without calling braces:

https://github.com/paulmillr/chokidar/blob/7c50e25d10a497ce4409f6e52eb630f0d7647b97/index.js#L255-L256

---

TL;DR: Although braces is installed as a transitive dependency of sass, it's never used by sass, thus sass is not vulnerable.

[patrick-laa]

Thank you for explaining so clearly!