-
-
Notifications
You must be signed in to change notification settings - Fork 1.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
glob-parent Security Issue #3407
Comments
This comes through the chokidar dependency. The latest master branch depends on chokidar v3 which can be updated to a patched version of glob-parent. So I think that to fix this we'd need a release v3.11.3 with an update for chokidar only. Would that be possible? |
Note chokidar 2.1.8 is also deprecated... https://www.npmjs.com/package/chokidar/v/2.1.8 |
Chokidar 3 dropped Node 6 compatibility, which WDS 3 supports: webpack-dev-server/package.json Lines 13 to 15 in 5cb545f
That can't be updated as a patch version, looks like WDS 4 is targeting Node >= 12.13 and already using Chokidar 3. |
Can i get some beta package of dev server to test? |
@kamikazebr it's already available, on the |
|
As far as I can tell
|
unfortunately we will not be able to solve it in v3, it was big breaking change, wait v4, it is in rc, so it should be stable to use already |
And migration guide https://github.com/webpack/webpack-dev-server/blob/master/migration-v4.md |
Sure, I pointed that out above. What I mean is that I wouldn't close this until 4.0 went GA - anyone installing WDS until then will see the vulnerability, the backport only applies to the RC version. Up to you though, I know it's frustrating to leave issues hanging around! |
Code
Issue not code related.
Please paste the results of
webpack-cli info
here, and mention other relevant informationIssue not webpack related
Expected Behavior
No security issues.
Actual Behavior
Security issue with
glob-parent
For Bugs; How can we reproduce the behavior?
npm audit
or see hereFor Features; What is the motivation and/or use-case for the feature?
The text was updated successfully, but these errors were encountered: