Update chokidar dependency to 3.5.2

[yogesh-MS]

Please update chokidar dependency to 3.5.2 to resolve security issue . https://snyk.io/test/npm/watchpack-chokidar2/

[alexander-akait]

Please update webpack to v5

[jlowcs]

Sadly, the last time I tried updating to webpack 5, I was blocked by some plugins that didn't yet support it. So it's not necessarily a viable option at this point.

[alexander-akait]

@jlowcs most of plugins are supported webpack v5, what is the blocker?

[jlowcs]

To be honest I don't quite remember which plugins were a blocker the last time I tried updating, but after having a quick look:

• https://github.com/johnagan/clean-webpack-plugin v4 is currently still in alpha
• https://github.com/waysact/webpack-subresource-integrity v5 is currently still a rc

[alexander-akait]

https://github.com/johnagan/clean-webpack-plugin v4 is currently still in alpha

You don't need this plugin anymore, we have output.clean https://github.com/johnagan/clean-webpack-plugin/issues/197

https://github.com/waysact/webpack-subresource-integrity v5 is currently still a rc

rc should work fine

[jlowcs]

I appreciate you looking into those. I'm still not quite comfortable using a rc tbh.

In any case, since updating to webpack 5 is not as trivial as simply changing a version number, it needs to be planned and prioritized. Some companies might not be able to do that right away. I definitely won't have the time for the next couple months or so :/

[alert-debug]

@jlowcs It's completely reasonable for you to have other priorities for the next couple of months, don't worry. There is something that maybe you can clarify about this issue, though.

The initial request was to "update chokidar dependency to 3.5.2", which presumably refers to the dependency from watchpack@1.7.5 to watchpack-chokidar2@^2.0.1 to chokidar@^2.1.8. It was then the first comment on this issue which requested an update of "webpack to v5", which you helpfully responded to.

Is it possible to produce a patch release e.g. watchpack@1.7.6 which keeps the existing functionality but avoids watchpack-chokidar2 and thus allows chokidar@3.5.2 to satisfy the remaining chokidar dependency? Version 1.7.5 is currently the most popular release of watchpack, with nearly 1 million downloads per day, so if those downloads could avoid triggering warnings about the vulnerability in glob-parent, that could be a huge win.

Perhaps there is some connection to v5 of webpack which prevents such a patch release, but it would be great to have that documented here.

[jlowcs]

A patch or minor release of watchpack should do the trick yes, since that should still match the semver rule of webpack.

[RMcNeely]

I don't know if a minor patch release is something that would be considered for people still relying on Webpack 4 but I've pushed up a new branch that should allow for this to happen in the watchpack-1 branch.

[ryami333]

Please would the maintainers of webpack reconsider this issue - switching from Webpack 4 to Webpack 5 is simply not an option for those of us who are experiencing this security vulnerability via a transitive dependency.

In our case, for example, we only have Webpack 4 installed only as a transitive dependency of Storybook. We do not have the option to simply switch from Wepback 4 to 5 because that would have be done upstream, by the maintainers of Storybook. If a hotfix patch release could be made to watchpack@1 then webpack@4 (which presumably still gets downloaded millions of times per week) will no longer suffer from this permanent "high" CVE vulnerability.

I want to make it clear - the maintainers of watchpack are really the only people that can truly solve this (besides the webpack maintainers making a v4 patch themselves, which would be very unlikely, they haven't done that in almost a year. Perhaps you could comment @sokra ?).

[alexander-akait]

@ryami333 It will be breaking change...

[ryami333]

Please elaborate

[alexander-akait]

@ryami333 We can't just update chokidar, because - Node.js version is increased, API was changed on async, it will required a lot of changes and also break plugins and some other stuff, I am afraid there are two solutions:

1. Use fork https://github.com/webpack/watchpack/issues/199#issuecomment-904094828
2. Consider to update to v5

[alexander-akait]

Closing due to inactivity. Please test with latest version and feel free to reopen if still regressions. Thanks!