Please update to chokidar 2.x to avoid ReDOS vulnerability

[StephenWeatherford]

https://snyk.io/test/npm/chokidar/1.7.0

[danielfigueiredo]

Quick heads up, looks like the dependency "chokidar": "^1.6.0", has been removed from cpx, maybe just publishing a new version would do the trick?

[Misiu]

@mysticatea could you take a look at this please?

[flvyu]

@mysticatea Reviving this discussion again. Would you be able to get the new version published? Let me know if I can help.

[lietusme]

Any update on this? cpx 1.50 is latest and still contains vulnerabilities
GHSA-ww39-953v-wcq6
https://nvd.nist.gov/vuln/detail/CVE-2018-1109

│ └─┬ cpx@1.5.0
│   └─┬ chokidar@1.7.0
│     ├─┬ anymatch@1.3.2
│     │ └─┬ micromatch@2.3.11
│     │   └─┬ parse-glob@3.0.4
│     │     └─┬ glob-base@0.3.0
│     │       └── glob-parent@2.0.0 
│     └── glob-parent@2.0.0 

├─┬ @bentley/build-tools@2.19.17
│ └─┬ cpx@1.5.0
│   └─┬ chokidar@1.7.0
│     ├─┬ anymatch@1.3.2
│     │ └─┬ micromatch@2.3.11
│     │   └── braces@1.8.5 

Need to use glob-parent 5.1.2 and braces 2.3.1

[vladimiry]

@lietusme this project clearly looks abandoned, so you might want to explore its alive fork https://github.com/bcomnes/cpx2 (basically drop-in replacement).