Skip to content

Commit 7a436f7

Browse files
MikeMcC399MikeMcC399
committed
fix(deps): update vulnerable transient dependencies
Updates brace-expansion to 1.1.13 & 5.0.5 picomatch to 2.3.2 & 4.0.4
1 parent 68be0d4 commit 7a436f7

File tree

2 files changed

+323
-18
lines changed

2 files changed

+323
-18
lines changed

dist/index.js

Lines changed: 307 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -15169,7 +15169,7 @@ function expand(str, isTop) {
1516915169
var y = numeric(n[1]);
1517015170
var width = Math.max(n[0].length, n[1].length)
1517115171
var incr = n.length == 3
15172-
? Math.abs(numeric(n[2]))
15172+
? Math.max(Math.abs(numeric(n[2])), 1)
1517315173
: 1;
1517415174
var test = lte;
1517515175
var reverse = y < x;
@@ -15218,7 +15218,6 @@ function expand(str, isTop) {
1521815218
}
1521915219

1522015220

15221-
1522215221
/***/ }),
1522315222

1522415223
/***/ 60748:
@@ -26703,6 +26702,8 @@ const path = __nccwpck_require__(16928);
2670326702
const WIN_SLASH = '\\\\/';
2670426703
const WIN_NO_SLASH = `[^${WIN_SLASH}]`;
2670526704

26705+
const DEFAULT_MAX_EXTGLOB_RECURSION = 0;
26706+
2670626707
/**
2670726708
* Posix glob regex
2670826709
*/
@@ -26766,6 +26767,7 @@ const WINDOWS_CHARS = {
2676626767
*/
2676726768

2676826769
const POSIX_REGEX_SOURCE = {
26770+
__proto__: null,
2676926771
alnum: 'a-zA-Z0-9',
2677026772
alpha: 'a-zA-Z',
2677126773
ascii: '\\x00-\\x7F',
@@ -26783,6 +26785,7 @@ const POSIX_REGEX_SOURCE = {
2678326785
};
2678426786

2678526787
module.exports = {
26788+
DEFAULT_MAX_EXTGLOB_RECURSION,
2678626789
MAX_LENGTH: 1024 * 64,
2678726790
POSIX_REGEX_SOURCE,
2678826791

@@ -26796,6 +26799,7 @@ module.exports = {
2679626799

2679726800
// Replace globs with equivalent patterns to reduce parsing time.
2679826801
REPLACEMENTS: {
26802+
__proto__: null,
2679926803
'***': '*',
2680026804
'**/**': '**',
2680126805
'**/**/**': '**'
@@ -26931,6 +26935,277 @@ const syntaxError = (type, char) => {
2693126935
return `Missing ${type}: "${char}" - use "\\\\${char}" to match literal characters`;
2693226936
};
2693326937

26938+
const splitTopLevel = input => {
26939+
const parts = [];
26940+
let bracket = 0;
26941+
let paren = 0;
26942+
let quote = 0;
26943+
let value = '';
26944+
let escaped = false;
26945+
26946+
for (const ch of input) {
26947+
if (escaped === true) {
26948+
value += ch;
26949+
escaped = false;
26950+
continue;
26951+
}
26952+
26953+
if (ch === '\\') {
26954+
value += ch;
26955+
escaped = true;
26956+
continue;
26957+
}
26958+
26959+
if (ch === '"') {
26960+
quote = quote === 1 ? 0 : 1;
26961+
value += ch;
26962+
continue;
26963+
}
26964+
26965+
if (quote === 0) {
26966+
if (ch === '[') {
26967+
bracket++;
26968+
} else if (ch === ']' && bracket > 0) {
26969+
bracket--;
26970+
} else if (bracket === 0) {
26971+
if (ch === '(') {
26972+
paren++;
26973+
} else if (ch === ')' && paren > 0) {
26974+
paren--;
26975+
} else if (ch === '|' && paren === 0) {
26976+
parts.push(value);
26977+
value = '';
26978+
continue;
26979+
}
26980+
}
26981+
}
26982+
26983+
value += ch;
26984+
}
26985+
26986+
parts.push(value);
26987+
return parts;
26988+
};
26989+
26990+
const isPlainBranch = branch => {
26991+
let escaped = false;
26992+
26993+
for (const ch of branch) {
26994+
if (escaped === true) {
26995+
escaped = false;
26996+
continue;
26997+
}
26998+
26999+
if (ch === '\\') {
27000+
escaped = true;
27001+
continue;
27002+
}
27003+
27004+
if (/[?*+@!()[\]{}]/.test(ch)) {
27005+
return false;
27006+
}
27007+
}
27008+
27009+
return true;
27010+
};
27011+
27012+
const normalizeSimpleBranch = branch => {
27013+
let value = branch.trim();
27014+
let changed = true;
27015+
27016+
while (changed === true) {
27017+
changed = false;
27018+
27019+
if (/^@\([^\\()[\]{}|]+\)$/.test(value)) {
27020+
value = value.slice(2, -1);
27021+
changed = true;
27022+
}
27023+
}
27024+
27025+
if (!isPlainBranch(value)) {
27026+
return;
27027+
}
27028+
27029+
return value.replace(/\\(.)/g, '$1');
27030+
};
27031+
27032+
const hasRepeatedCharPrefixOverlap = branches => {
27033+
const values = branches.map(normalizeSimpleBranch).filter(Boolean);
27034+
27035+
for (let i = 0; i < values.length; i++) {
27036+
for (let j = i + 1; j < values.length; j++) {
27037+
const a = values[i];
27038+
const b = values[j];
27039+
const char = a[0];
27040+
27041+
if (!char || a !== char.repeat(a.length) || b !== char.repeat(b.length)) {
27042+
continue;
27043+
}
27044+
27045+
if (a === b || a.startsWith(b) || b.startsWith(a)) {
27046+
return true;
27047+
}
27048+
}
27049+
}
27050+
27051+
return false;
27052+
};
27053+
27054+
const parseRepeatedExtglob = (pattern, requireEnd = true) => {
27055+
if ((pattern[0] !== '+' && pattern[0] !== '*') || pattern[1] !== '(') {
27056+
return;
27057+
}
27058+
27059+
let bracket = 0;
27060+
let paren = 0;
27061+
let quote = 0;
27062+
let escaped = false;
27063+
27064+
for (let i = 1; i < pattern.length; i++) {
27065+
const ch = pattern[i];
27066+
27067+
if (escaped === true) {
27068+
escaped = false;
27069+
continue;
27070+
}
27071+
27072+
if (ch === '\\') {
27073+
escaped = true;
27074+
continue;
27075+
}
27076+
27077+
if (ch === '"') {
27078+
quote = quote === 1 ? 0 : 1;
27079+
continue;
27080+
}
27081+
27082+
if (quote === 1) {
27083+
continue;
27084+
}
27085+
27086+
if (ch === '[') {
27087+
bracket++;
27088+
continue;
27089+
}
27090+
27091+
if (ch === ']' && bracket > 0) {
27092+
bracket--;
27093+
continue;
27094+
}
27095+
27096+
if (bracket > 0) {
27097+
continue;
27098+
}
27099+
27100+
if (ch === '(') {
27101+
paren++;
27102+
continue;
27103+
}
27104+
27105+
if (ch === ')') {
27106+
paren--;
27107+
27108+
if (paren === 0) {
27109+
if (requireEnd === true && i !== pattern.length - 1) {
27110+
return;
27111+
}
27112+
27113+
return {
27114+
type: pattern[0],
27115+
body: pattern.slice(2, i),
27116+
end: i
27117+
};
27118+
}
27119+
}
27120+
}
27121+
};
27122+
27123+
const getStarExtglobSequenceOutput = pattern => {
27124+
let index = 0;
27125+
const chars = [];
27126+
27127+
while (index < pattern.length) {
27128+
const match = parseRepeatedExtglob(pattern.slice(index), false);
27129+
27130+
if (!match || match.type !== '*') {
27131+
return;
27132+
}
27133+
27134+
const branches = splitTopLevel(match.body).map(branch => branch.trim());
27135+
if (branches.length !== 1) {
27136+
return;
27137+
}
27138+
27139+
const branch = normalizeSimpleBranch(branches[0]);
27140+
if (!branch || branch.length !== 1) {
27141+
return;
27142+
}
27143+
27144+
chars.push(branch);
27145+
index += match.end + 1;
27146+
}
27147+
27148+
if (chars.length < 1) {
27149+
return;
27150+
}
27151+
27152+
const source = chars.length === 1
27153+
? utils.escapeRegex(chars[0])
27154+
: `[${chars.map(ch => utils.escapeRegex(ch)).join('')}]`;
27155+
27156+
return `${source}*`;
27157+
};
27158+
27159+
const repeatedExtglobRecursion = pattern => {
27160+
let depth = 0;
27161+
let value = pattern.trim();
27162+
let match = parseRepeatedExtglob(value);
27163+
27164+
while (match) {
27165+
depth++;
27166+
value = match.body.trim();
27167+
match = parseRepeatedExtglob(value);
27168+
}
27169+
27170+
return depth;
27171+
};
27172+
27173+
const analyzeRepeatedExtglob = (body, options) => {
27174+
if (options.maxExtglobRecursion === false) {
27175+
return { risky: false };
27176+
}
27177+
27178+
const max =
27179+
typeof options.maxExtglobRecursion === 'number'
27180+
? options.maxExtglobRecursion
27181+
: constants.DEFAULT_MAX_EXTGLOB_RECURSION;
27182+
27183+
const branches = splitTopLevel(body).map(branch => branch.trim());
27184+
27185+
if (branches.length > 1) {
27186+
if (
27187+
branches.some(branch => branch === '') ||
27188+
branches.some(branch => /^[*?]+$/.test(branch)) ||
27189+
hasRepeatedCharPrefixOverlap(branches)
27190+
) {
27191+
return { risky: true };
27192+
}
27193+
}
27194+
27195+
for (const branch of branches) {
27196+
const safeOutput = getStarExtglobSequenceOutput(branch);
27197+
if (safeOutput) {
27198+
return { risky: true, safeOutput };
27199+
}
27200+
27201+
if (repeatedExtglobRecursion(branch) > max) {
27202+
return { risky: true };
27203+
}
27204+
}
27205+
27206+
return { risky: false };
27207+
};
27208+
2693427209
/**
2693527210
* Parse the given input string.
2693627211
* @param {String} input
@@ -27112,6 +27387,8 @@ const parse = (input, options) => {
2711227387
token.prev = prev;
2711327388
token.parens = state.parens;
2711427389
token.output = state.output;
27390+
token.startIndex = state.index;
27391+
token.tokensIndex = tokens.length;
2711527392
const output = (opts.capture ? '(' : '') + token.open;
2711627393

2711727394
increment('parens');
@@ -27121,6 +27398,34 @@ const parse = (input, options) => {
2712127398
};
2712227399

2712327400
const extglobClose = token => {
27401+
const literal = input.slice(token.startIndex, state.index + 1);
27402+
const body = input.slice(token.startIndex + 2, state.index);
27403+
const analysis = analyzeRepeatedExtglob(body, opts);
27404+
27405+
if ((token.type === 'plus' || token.type === 'star') && analysis.risky) {
27406+
const safeOutput = analysis.safeOutput
27407+
? (token.output ? '' : ONE_CHAR) + (opts.capture ? `(${analysis.safeOutput})` : analysis.safeOutput)
27408+
: undefined;
27409+
const open = tokens[token.tokensIndex];
27410+
27411+
open.type = 'text';
27412+
open.value = literal;
27413+
open.output = safeOutput || utils.escapeRegex(literal);
27414+
27415+
for (let i = token.tokensIndex + 1; i < tokens.length; i++) {
27416+
tokens[i].value = '';
27417+
tokens[i].output = '';
27418+
delete tokens[i].suffix;
27419+
}
27420+
27421+
state.output = token.output + open.output;
27422+
state.backtrack = true;
27423+
27424+
push({ type: 'paren', extglob: true, value, output: '' });
27425+
decrement('parens');
27426+
return;
27427+
}
27428+
2712427429
let output = token.close + (opts.capture ? ')' : '');
2712527430
let rest;
2712627431

0 commit comments

Comments
 (0)