chokidar icon indicating copy to clipboard operation
chokidar copied to clipboard

Published 20 hours ago verified publisher icon paulmillr

consider switching to brace-expansion

Open 43081j opened this issue 1 year ago • 4 comments
trafficstars

👋 as part of the efforts going on over at the ecosystem-cleanup repo, we're helping projects move away from various packages to reduce dependency bloat

braces is one such package.

in most places, we can use brace-expansion as a drop-in replacement instead (4-5x smaller, only 1 dependency)

i'd be happy to open a PR with the change if you're happy with it

43081j avatar Feb 04 '24 12:02 43081j

It's probably much slower.

paulmillr avatar Feb 05 '24 15:02 paulmillr

Sort of related: CVE-2024-4068 on braces was just made public (see also: https://github.com/micromatch/braces/issues/35).

Hopefully that project fixes it, but... last publish was 5 years ago so we'll see.

dave-addition avatar May 14 '24 00:05 dave-addition

tired of these useless "vulnerabilities"

paulmillr avatar May 14 '24 00:05 paulmillr

I sympathize!

dave-addition avatar May 14 '24 00:05 dave-addition

braces has released version 3.0.3 which addresses CVE-2024-4068

sheldonsequeira avatar Jun 20 '24 23:06 sheldonsequeira

@sheldonsequeira and?

paulmillr avatar Jun 21 '24 00:06 paulmillr

@sheldonsequeira ho thanks for letting me know. I opened https://github.com/paulmillr/chokidar/pull/1326 to update

dave-addition avatar Jun 21 '24 01:06 dave-addition

@dave-addition consider learning how version ranges work before opening useless pull requests

paulmillr avatar Jun 21 '24 02:06 paulmillr

I'm well aware how version ranges work, but I also found #1324 and realize it's a waste of both of our times to argue the merits of the change.

dave-addition avatar Jun 21 '24 13:06 dave-addition

fwiw this issue is fairly redundant now (the OP at least), since we want to release the next major that has no dependency on globs

43081j avatar Jun 21 '24 13:06 43081j