Use chokidar@2 - Githubissues

stefee commented 5 years ago

Change log

Breaking: Upgrade chokidar dependency which requires globs to be more strict and always use POSIX-style slashes because Windows-style slashes are used as escape sequences
See chokidar change log for more details: https://github.com/paulmillr/chokidar/blob/master/CHANGELOG.md

Notes for reviewer

I've set a minimum chokidar version 2.0.4 to match @babel/cli https://github.com/babel/babel/blob/master/packages/babel-cli/package.json#L33
This includes patch for the braces vulnerability described in this npm advisory: https://www.npmjs.com/advisories/786

stefee commented 5 years ago

cc @kmagiera

stefee commented 5 years ago

See below npm audit report which this PR addresses:

$ npm audit

                       === npm audit security report ===

┌──────────────────────────────────────────────────────────────────────────────┐
│                                Manual Review                                 │
│            Some vulnerabilities require your attention to resolve            │
│                                                                              │
│         Visit https://go.npm.me/audit-guide for additional guidance          │
└──────────────────────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low           │ Regular Expression Denial of Service                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ braces                                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=2.3.1                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ babel-watch [dev]                                            │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ babel-watch > chokidar > anymatch > micromatch > braces      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/786                             │
└───────────────┴──────────────────────────────────────────────────────────────┘

STRML commented 5 years ago

Causes no issues in my testing. Merging.

stefee commented 5 years ago

@STRML would you be able to release this change as a patch for us?

STRML commented 5 years ago

I don't have publish permissions, @kmagiera?

stefee commented 5 years ago

@kmagiera a new patch release would be appreciated

kmagiera / babel-watch

Use chokidar@2 #97

Change log

Notes for reviewer