Update chokidar to current version #1260
Assignees
Comments
|
@fdintino Please look into the issue. The chokidar has been upgraded to 3.x versions. |
|
@eklingen I have seen you raised a PR for the same. Can you please escalate it to get it merged sooner? |
|
Hello, I haven't seen any activity for the same. |
|
It appears snyk have now published this with a POC https://app.snyk.io/test/npm/nunjucks/3.2.0 |
|
I will update this today. |
|
Linking PR #1254 |
|
there is again a security issue with snyk and chokidar |
|
chokidar is a peer dependency, it is not lock end user from manually update their chokidar dependency |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
The chokidar is an optional dependency yet it is on 2.* version which involves vulnerability of kind-of package as follows :
ctorName in index.js in kind-of v6.0.2 allows external user input to overwrite certain internal attributes via a conflicting name, as demonstrated by. Hence, a crafted payload can overwrite this builtin attribute to manipulate the type detection result.
Please upgrade the version to the latest.
The text was updated successfully, but these errors were encountered: