smhg
commented
4 years ago @goto-bus-stop is there anything I can help with to move this forward?
Closed ssk101 closed 3 years ago
smhg
commented
4 years ago @goto-bus-stop is there anything I can help with to move this forward?
johnjbarton
commented
4 years ago The travis-ci will never pass, because the project tests 5 old versions of nodejs, but fsevents 2.x used by chokidar 3.x only supports nodejs 8+: https://www.npmjs.com/package/fsevents
MylesBorins
commented
4 years ago We have had to skip testing watchify on MacOS in the node.js smoke test suite CITGM due to failures related to this old dependency
sseide
commented
3 years ago Now first security warnings arrived for dependencies of the old chockidar 2.1.x version. Now this update may get a bit more priority i hope...
Watchify depends on chokidar 2.1.x (2.1.8 as latest) which depends (in the end) on old cache-base@1.0.1 Older cache-base releases have a prototype pollution problem, fixed with later cache-base 4.x releases... Currently no update available as chokidar 2.1 is not supported anymore. The update to latest chokidar@3.4.4 will fix these security warning.
watchify@3.11.1 > chokidar@2.1.8 > braces@2.3.2 > snapdragon@0.8.2 > base@0.11.2 > cache-base@1.0.1
And - another positive side effect: using chockidar 3.x instead of 2.1 dramatically reduces dependency count (see https://paulmillr.com/posts/chokidar-3-save-32tb-of-traffic/)
Security warning: https://snyk.io/vuln/SNYK-JS-CACHEBASE-1054631
sseide
commented
3 years ago Addon - anymatch should be updated to latest 3.x too as chokidar depends on anymatch 3.1 and not 2.x anymore to not pull duplicate dependencies and (more important) old anymatch@2.x fetches vulnerable cache-base too
goto-bus-stop
commented
3 years ago merged in https://github.com/browserify/watchify/pull/378 and released as 4.x. Thanks for the PR!
Older versions of Chokidar have a few issues watching large amounts of files (as in no events are triggered on file changes after a while).