search

paulmillr / chokidar

Minimal and efficient cross-platform file watching library
https://paulmillr.com
MIT License
10.8k stars 574 forks source link

Vulnerable Dependency - braces #1314

Closed madhavsarpalJG closed 3 months ago

madhavsarpalJG commented 3 months ago
paulmillr commented 3 months ago
  1. It is not a real vulnerability. CVE rating 7.5 is nonsense. More like 2.5
  2. They can’t even produce a working exploit. Some folks have found some slowdown for 100 million braces, which is nonsense. Would you personally build such regex?
  3. There are no other packages to switch. They are either esm only, or very slow, or potentially dangerous with unknown maintainers. They can upload malware to chokidar users
  4. See thread for the context. We are waiting to either retract the cve, fix the issue, etc It is another shit that got cve https://github.com/micromatch/micromatch/issues/243
thomashohn commented 3 months ago

So are you planing on doing a release 3.6.1 with braces 3.0.3?

paulmillr commented 3 months ago

@thomashohn no.

Is there something in "we are using version ranges" phrase you don't understand?

thomashohn commented 3 months ago

No sir