Fix for CVE-2020-28469 - Githubissues

nicolo-ribaudo / chokidar-2

A wrapper around chokidar@2 to be able to specify both @2 and @3 as dependencies

1 stars 3 forks source link

Fix for CVE-2020-28469 #4

Closed lucakiebel closed 3 years ago

lucakiebel commented 3 years ago

https://github.com/advisories/GHSA-ww39-953v-wcq6

lucakiebel commented 3 years ago

Also fixes #3

nicolo-ribaudo commented 3 years ago

Hi, unfortunately I cannot accept this PR since it breaks compatibility with Node.js 6. Also, this package aims to be a 1:1 copy of chokidar@2 but without the fsevents dependency.

Also, I assume you depend on this package because it's a dependency of @babel/cli: in that case the CVE doesn't affect you unless you are using Node.js 6. In Node.js >= 8, Babel doesn't use this package but uses chokidar@3 directly.

lucakiebel commented 3 years ago

Hey, thanks for the comment. Closed the PR.