micromatch vulnerable at v4.0.5

[benjsmi]

Describe the feature you'd love to see

https://github.com/chimurai/http-proxy-middleware/blob/master/package.json#L93

micromatch is vulnerable at v4.0.5 as per https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-4067. To me, it doesn't look like they are going to cut a new release -- their last commit was in 2019.

So this is a feature request to move to a different matching package -- one that is maintained more regularly or at least isn't vulnerable to this CVE.

Additional context (optional)

No response

[chimurai]

Thanks for the report.

To get some facts right:
micromatch last commit dates 2 months ago (March 28th 2024) (not 2019 like you mentioned).
See commit: micromatch/micromatch@6b3526f

Please follow threads in micromatch with ongoing updates:

• [BUG] Vulnerabilities Found in Micromatch and Braces micromatch/micromatch#243
• High vulnerability in 'braces' dependency  micromatch/micromatch#254

A fix has landed in micromatch/braces and will be released in 3.0.3

• fix: vulnerability micromatch/braces#37
• Braces is marked as DoS vulnerable via Memory Exhaustion by Blackduck micromatch/braces#36 (comment)

Suggestion is to monitor the upstream progress.
And update your transitive packages as soon as the fix has been released.

[paulmillr]

There is NO vulnerability: micromatch/braces#37 (comment)

[chimurai]

To resolve the issue, update your package lockfile to micromatch@4.0.6 or higher.