cpx icon indicating copy to clipboard operation
cpx copied to clipboard

Published 20 hours ago verified publisher icon mysticatea

Please update to chokidar 2.x to avoid ReDOS vulnerability

Open StephenWeatherford opened this issue 5 years ago • 5 comments

https://snyk.io/test/npm/chokidar/1.7.0

StephenWeatherford avatar Feb 14 '19 21:02 StephenWeatherford

Quick heads up, looks like the dependency "chokidar": "^1.6.0", has been removed from cpx, maybe just publishing a new version would do the trick?

danielfigueiredo avatar Feb 27 '19 19:02 danielfigueiredo

@mysticatea could you take a look at this please?

Misiu avatar Oct 13 '20 11:10 Misiu

@mysticatea Reviving this discussion again. Would you be able to get the new version published? Let me know if I can help.

flvyu avatar Jun 07 '21 19:06 flvyu

Any update on this? cpx 1.50 is latest and still contains vulnerabilities https://github.com/advisories/GHSA-ww39-953v-wcq6 https://nvd.nist.gov/vuln/detail/CVE-2018-1109

│ └─┬ [email protected]
│   └─┬ [email protected]
│     ├─┬ [email protected]
│     │ └─┬ [email protected]
│     │   └─┬ [email protected]
│     │     └─┬ [email protected]
│     │       └── [email protected] 
│     └── [email protected] 

├─┬ @bentley/[email protected]
│ └─┬ [email protected]
│   └─┬ [email protected]
│     ├─┬ [email protected]
│     │ └─┬ [email protected]
│     │   └── [email protected]

Need to use glob-parent 5.1.2 and braces 2.3.1

lietusme avatar Oct 19 '21 07:10 lietusme

@lietusme this project clearly looks abandoned, so you might want to explore its alive fork https://github.com/bcomnes/cpx2 (basically drop-in replacement).

vladimiry avatar Oct 19 '21 07:10 vladimiry