Obsolete and vulnerable dependencies (CVE-2020-15168 and CVE-2019-20149) #17416
Comments
|
This issue already opened, dups #17250 |
|
Afais, this would address the 2nd vuln but not the first one. |
|
Both reports do not affect Next.js. Feel free to send a PR to upgrade chokidar which should get rid of the mentioned dependency. |
|
Hi timneutkens, Depending on an obsolete/vulnerable dependency is against the security best practices. I will send you a PR to bump the version of chokidar up. Do you have any checks on the pipeline to make sure the new version does not break anything ? |
Yes, integration tests cover all features. |
Fixes vercel#18044 Related to vercel#17416
Updates to the latest version of `chokidar` x-ref: #17416
|
This issue has been automatically locked due to no recent activity. If you are running into a similar issue, please create a new issue with the steps to reproduce. Thank you. |
Bug report
Hello. Several vulnerabilities were revealed in the chokidar and ampproject/toolbox-optimizer package dependencies. The packages causing the "security issues" are kind-of and node-fetch. Detailed info about CVE-2019-20149 and CVE-2020-15168 vulnerabilities are available here ([1] and [2]).
[email protected] > [email protected] > readdirp@^2.2.1 > micromatch@^3.1.10 > braces@^2.3.1 > snapdragon@^0.8.1 > base@^0.11.1 > class-utils@^0.3.5 > define-property@^0.2.5 > is-descriptor@^0.1.0 > is-accessor-descriptor@^0.1.6 > kind-of@^3.0.2
[email protected] > @ampproject/[email protected] > [email protected]
[1] jonschlinkert/kind-of#30
[2] https://nvd.nist.gov/vuln/detail/CVE-2020-15168
The text was updated successfully, but these errors were encountered: