Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
Could you update dependency "chokidar"?
See original GitHub issueI’m seeing this for a while now:
I have a hard time to figure out which of our packages is to blame for the transitive dependeny, but I believe it’s this one. My way to debug this:
robert@e480 ~/D/h/Human-Connection> yarn why set-value
yarn why v1.19.1
[1/4] Why do we have the module "set-value"...?
[2/4] Initialising dependency graph...
[3/4] Finding dependency...
[4/4] Calculating file sizes...
=> Found "set-value@2.0.0"
info Reasons this module exists
- "cypress-cucumber-preprocessor#chokidar#braces#snapdragon#base#cache-base" depends on it
- Hoisted from "cypress-cucumber-preprocessor#chokidar#braces#snapdragon#base#cache-base#set-value"
info Disk size without dependencies: "20KB"
info Disk size with unique dependencies: "148KB"
info Disk size with transitive dependencies: "168KB"
info Number of shared dependencies: 5
=> Found "union-value#set-value@0.4.3"
info This module exists because "cypress-cucumber-preprocessor#chokidar#braces#snapdragon#base#cache-base#union-value" depends on it.
Done in 0.47s.
robert@e480 ~/D/h/Human-Connection> yarn list --pattern set-value
yarn list v1.19.1
├─ set-value@2.0.0
├─ union-value@1.0.0
│ └─ set-value@0.4.3
└─ unset-value@1.0.0
Done in 0.44s.
robert@e480 ~/D/h/Human-Connection> yarn why union-value
yarn why v1.19.1
[1/4] Why do we have the module "union-value"...?
[2/4] Initialising dependency graph...
[3/4] Finding dependency...
[4/4] Calculating file sizes...
=> Found "union-value@1.0.0"
info Reasons this module exists
- "cypress-cucumber-preprocessor#chokidar#braces#snapdragon#base#cache-base" depends on it
- Hoisted from "cypress-cucumber-preprocessor#chokidar#braces#snapdragon#base#cache-base#union-value"
info Disk size without dependencies: "16KB"
info Disk size with unique dependencies: "80KB"
info Disk size with transitive dependencies: "212KB"
info Number of shared dependencies: 8
Done in 0.46s.
As far as I understand, package set-value got resolved to a version 0.4.3 because of a package union-value at 1.0.0 which in turn is somehow required through multiple hops by chokidar wich is used by cypress-cucumber-preprocessor. Am I right? Please tell me a better way to debug Github’s security vulnerabilities and how to learn which package maintainer to ask for an update.
It looks like chokidar made a major version bump, so I guess if you update chokidar also the security vulnerability will be gone.
Issue Analytics
- State:
- Created 4 years ago
- Comments:6 (1 by maintainers)
Top Results From Across the Web
Top Related Medium Post
Top Related StackOverflow Question
Troubleshoot Live Code
Top Related Reddit Thread
Top Related Hackernoon Post
Top Related Tweet
Top Related Dev.to Post
Top Related Hashnode Post
Any updates on this?
I get an error when I run it on my Windows 10 OS.
Error: Can’t walk dependency graph: Cannot find module ‘fsevents’ from ‘${Path}\node_modules\cypress-cucumber-preprocessor\node_modules\chokidar\lib’ in Windows 10 .
The app complains saying we have to use a version greater than 3 for chokidar
We’ve had this conversation before 😃
https://github.com/TheBrainFamily/cypress-cucumber-preprocessor/pull/190#issuecomment-511766984
Having said that - we have a good end to end test coverage now (with typescript and webpack usages), so I’ve decided to give this a try, since quite a few people keep asking and complaining. I don’t want to be difficult and force people to change their approach to security checks because of this one package. I will be merging the security bumps today as soon as they are passing on the CI.