gulp-watch has vulnerabilities and last commit 1 jan 2019

[ComLock]

│ Low           │ Regular Expression Denial of Service                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ braces                                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=2.3.1                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ semantic-ui [dev]                                            │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ semantic-ui > gulp-watch > anymatch > micromatch > braces    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/786                             │
└───────────────┴──────────────────────────────────────────────────────────────┘

The below issue is not beeing solved by the package maintainer: https://github.com/floatdrop/gulp-watch/issues/321

I don't know the proper solution, but here are some ideas:

• switch to webpack
• move gulp-watch from dependencies to development dependencies
• watch is not used, or not important, remove dependancy all together
• fork gulp-watch and fix the vulnerability and release under some scope

[lubber-de]

FYI, https://fomantic-ui.com has been upgraded to gulp 4 already which depends on braces 2.3.2