Outdated chokidar version causing dependency vulnerability

[marcioaffonso]

After running npm audit, you can see a vulnerability in babel-watch > chokidar > anymatch > micromatch > braces

Chokidar version should be updated.

[STRML]

I'm not seeing that on a reinstall. Try clearing your lockfile & reinstall babel-watch.

[stefee]

Was this resolved by https://github.com/kmagiera/babel-watch/pull/97 ? Has this been released yet?

[marcioaffonso]

@STRML, @srilq the version 7.0.0(latest) in NPM is using chokidar@1.4.3.

[STRML]

Ah yes. It is fixed in #97 but @kmagiera has not yet merged. Chokidar@3 is already out and I'll give it a test, we can jump right to it which saves some CPU cycles.

[marcioaffonso]

@kmagiera @STRML, could you please publish the PR https://github.com/kmagiera/babel-watch/pull/97?

People are moving away from this package as you can see in https://github.com/iamogbz/bot-slacker/pull/33/files because this is generating a vulnerability in the dependencies.

[STRML]

I can't publish. It's on @kmagiera

On Tue, Sep 17, 2019, 4:45 AM Marcio Affonso notifications@github.com wrote:

@kmagiera https://github.com/kmagiera @STRML https://github.com/STRML, could you please publish the PR #97 https://github.com/kmagiera/babel-watch/pull/97?

People are moving away from this package as you can see in https://github.com/iamogbz/bot-slacker/pull/33/files because this is generating a vulnerability in the dependencies.

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/kmagiera/babel-watch/issues/104?email_source=notifications&email_token=AAJEKP2ZWQCYFX3CL2RFVM3QKC7MHA5CNFSM4H4UI3DKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOD64H6HA#issuecomment-532184860, or mute the thread https://github.com/notifications/unsubscribe-auth/AAJEKP6QQFOGB2BXPLXY34LQKC7MHANCNFSM4H4UI3DA .