Please update dependency to braces 3.x

[nursoda]

Because braces 2.x results in an old snapdragon, resulting in an old source-map-resolve resulting in a deprecated urix and resolve-url.

[nicolo-ribaudo]

braces 3.x requires Node.js 8, but this @nicolo-ribaudo/chokidar-2 package only exists to provide legacy support on Node.js 6.

[nursoda]

I understand. However, it is a dependency of babel (latest), and that alone leads to deprecated warnings, right?

[nicolo-ribaudo]

Yes. However, Babel only uses this package when you use old Node.js versions (on newer versions, it uses chokidar@3). It's always installed (because it's not possible to specify "install this dependency but only if using Node.js version X"), but you can safely ignore the warnings because in Node.js >= 10 the vulnerable code never runs.

If you are using Yarn, you can even prevent it from installing this dependency (since you won't need it while running Babel anyway) by addingust needs docs now

"resolutions": {
  "@nicolo-ribaudo/chokidar-2": "./noop"
}

to your package.json

[nursoda]

I'm on Arch and I only use current programs, including node and npm. I set all dependencies in my package.json to "latest":

package.json

``` { "name": "twofactor_email", "version": "0.1.0", "description": "Two Factor e-mail provider", "author": [ { "name": "Olav Seyfarth (current maintainer)", "email": "olav@seyfarth.de" } ], "contributors": [ { "name": "Roeland Jago Douma (original author)" } ], "license": "AGPL-3.0-or-later", "main": "index.js", "directories": { "lib": "lib", "test": "tests" }, "scripts": { "build": "./node_modules/webpack-cli/bin/cli.js --config src/webpack.prod.config.js", "dev": "./node_modules/webpack-cli/bin/cli.js --config src/webpack.dev.config.js --watch", "test": "echo \"Error: no test specified\" && exit 1", "lint": "eslint --ext .js,.vue src", "lint:fix": "eslint --ext .js,.vue src --fix", "stylelint": "stylelint src", "stylelint:fix": "stylelint src --fix" }, "dependencies": { "@nextcloud/axios": "latest", "@nextcloud/eslint-plugin": "latest", "@nextcloud/initial-state": "latest", "nextcloud-server": "latest", "vue": "latest", "vue-loader": "latest", "vue-style-loader": "latest", "vue-template-compiler": "latest" }, "devDependencies": { "@babel/eslint-parser": "latest", "@nextcloud/eslint-config": "latest", "@nextcloud/eslint-plugin": "latest", "css-loader": "latest", "eslint": "latest", "eslint-config-standard": "latest", "eslint-plugin-import": "latest", "eslint-plugin-node": "latest", "eslint-plugin-promise": "latest", "eslint-plugin-vue": "latest", "eslint-webpack-plugin": "latest", "stylelint": "latest", "stylelint-config-recommended-scss": "latest", "stylelint-scss": "latest", "stylelint-webpack-plugin": "latest", "vue-loader": "latest", "vue-template-compiler": "latest", "webpack": "latest", "webpack-cli": "latest", "webpack-merge": "latest" } } ```

I'm trying to help with a small Nextcloud app, but I'm not a dev. I think I don't use yarn. I understand that in my case this is irrelevant for production since it's a dev requirement only, and even if it were, current babel should use chokidar@3 only.

This is what I see:

$ rm -r node_modules package-lock.json
$ npm install
npm WARN deprecated urix@0.1.0: Please see https://github.com/lydell/urix#deprecated
npm WARN deprecated resolve-url@0.2.1: https://github.com/lydell/resolve-url#deprecated
$ npm audit 
found 0 vulnerabilities

Please close the bug if you think that's irrelevant or inevitable.

[XhmikosR]

@nicolo-ribaudo there's also a GitHub security issue due to set-value, https://github.com/advisories/GHSA-4jqc-8m5r-9rpr:

C:\Users\xmr\Desktop\bootstrap>npm ls set-value
bootstrap@5.1.1 C:\Users\xmr\Desktop\bootstrap
`-- @babel/cli@7.15.4
  `-- @nicolo-ribaudo/chokidar-2@2.1.8-no-fsevents.2
    `-- braces@2.3.2
      `-- snapdragon@0.8.2
        `-- base@0.11.2
          `-- cache-base@1.0.1
            +-- set-value@2.0.1
            `-- union-value@1.0.1
              `-- set-value@2.0.1  deduped

Is there any way this could be upgraded?

EDIT:

Hmm, NVM, I think the Github Security advisory is wrong. I see set-value v2.0.1 has this patch https://github.com/jonschlinkert/set-value/commit/cb12f14955dde6e61829d70d1851bfea6a3c31ad

[nicolo-ribaudo]

Yeah, I noticed that the CVE marks 2.0.1 as secure but GH still warns about it.

Anyway, even if GH was correct, in this case you can safely dismiss the warning since the vulnerable code is not actually used.