glob-parent Security Issue

[oze4]

• This is a bug
• [x ] This is a modification request

Code

Issue not code related.

Please paste the results of webpack-cli info here, and mention other relevant information

Issue not webpack related

Expected Behavior

No security issues.

Actual Behavior

Security issue with glob-parent

For Bugs; How can we reproduce the behavior?

npm audit or see here

For Features; What is the motivation and/or use-case for the feature?

[julienw]

This comes through the chokidar dependency.
Indeed latest stable version (3.11.2) depends on chokidar v2:
https://github.com/webpack/webpack-dev-server/blob/v3.11.2/package.json#L41
which depends on a too old version of glob-parent (even latest chokidar v2).

The latest master branch depends on chokidar v3 which can be updated to a patched version of glob-parent.

So I think that to fix this we'd need a release v3.11.3 with an update for chokidar only.

Would that be possible?

[brettwgreen]

Note chokidar 2.1.8 is also deprecated... https://www.npmjs.com/package/chokidar/v/2.1.8

[textbook]

Chokidar 3 dropped Node 6 compatibility, which WDS 3 supports:

webpack-dev-server/package.json

Lines 13 to 15 in 5cb545f

	"engines": {
	"node": ">= 6.11.5"
	},

That can't be updated as a patch version, looks like WDS 4 is targeting Node >= 12.13 and already using Chokidar 3.

[kamikazebr]

Can i get some beta package of dev server to test?

[textbook]

@kamikazebr it's already available, on the next tag: https://www.npmjs.com/package/webpack-dev-server/v/4.0.0-beta.3

[alexander-akait]

glob-parent has backport (just update deps - npm update) also chokidar updated in v4 (rc now, stable will be in very near future)

[textbook]

As far as I can tell glob-parent's maintainers haven't (and won't, only 5.x and 6.x are supported and they're already patched) released a fixed version compatible with WDS@3 (via Chokidar@2). A fresh install in a a new directory still shows:

$ npm ls glob-parent
wds-glob@1.0.0 path/to/wds-glob
└─┬ webpack-dev-server@3.11.2
  └─┬ chokidar@2.1.8
    └── glob-parent@3.1.0

[alexander-akait]

unfortunately we will not be able to solve it in v3, it was big breaking change, wait v4, it is in rc, so it should be stable to use already

[alexander-akait]

https://github.com/webpack/webpack-dev-server/releases/tag/v4.0.0-rc.0

[alexander-akait]

And migration guide https://github.com/webpack/webpack-dev-server/blob/master/migration-v4.md

[textbook]

we will not be able to solve it in v3, it was big breaking change

Sure, I pointed that out above. What I mean is that I wouldn't close this until 4.0 went GA - anyone installing WDS until then will see the vulnerability, the backport only applies to the RC version. Up to you though, I know it's frustrating to leave issues hanging around!