Could you update dependency "chokidar"?
See original GitHub issueI’m seeing this for a while now:
I have a hard time to figure out which of our packages is to blame for the transitive dependeny, but I believe it’s this one. My way to debug this:
robert@e480 ~/D/h/Human-Connection> yarn why set-value
yarn why v1.19.1
[1/4] Why do we have the module "set-value"...?
[2/4] Initialising dependency graph...
[3/4] Finding dependency...
[4/4] Calculating file sizes...
=> Found "set-value@2.0.0"
info Reasons this module exists
- "cypress-cucumber-preprocessor#chokidar#braces#snapdragon#base#cache-base" depends on it
- Hoisted from "cypress-cucumber-preprocessor#chokidar#braces#snapdragon#base#cache-base#set-value"
info Disk size without dependencies: "20KB"
info Disk size with unique dependencies: "148KB"
info Disk size with transitive dependencies: "168KB"
info Number of shared dependencies: 5
=> Found "union-value#set-value@0.4.3"
info This module exists because "cypress-cucumber-preprocessor#chokidar#braces#snapdragon#base#cache-base#union-value" depends on it.
Done in 0.47s.
robert@e480 ~/D/h/Human-Connection> yarn list --pattern set-value
yarn list v1.19.1
├─ set-value@2.0.0
├─ union-value@1.0.0
│ └─ set-value@0.4.3
└─ unset-value@1.0.0
Done in 0.44s.
robert@e480 ~/D/h/Human-Connection> yarn why union-value
yarn why v1.19.1
[1/4] Why do we have the module "union-value"...?
[2/4] Initialising dependency graph...
[3/4] Finding dependency...
[4/4] Calculating file sizes...
=> Found "union-value@1.0.0"
info Reasons this module exists
- "cypress-cucumber-preprocessor#chokidar#braces#snapdragon#base#cache-base" depends on it
- Hoisted from "cypress-cucumber-preprocessor#chokidar#braces#snapdragon#base#cache-base#union-value"
info Disk size without dependencies: "16KB"
info Disk size with unique dependencies: "80KB"
info Disk size with transitive dependencies: "212KB"
info Number of shared dependencies: 8
Done in 0.46s.
As far as I understand, package set-value
got resolved to a version 0.4.3
because of a package union-value at 1.0.0
which in turn is somehow required through multiple hops by chokidar
wich is used by cypress-cucumber-preprocessor
. Am I right? Please tell me a better way to debug Github’s security vulnerabilities and how to learn which package maintainer to ask for an update.
It looks like chokidar
made a major version bump, so I guess if you update chokidar
also the security vulnerability will be gone.
Issue Analytics
- State:
- Created 4 years ago
- Comments:6 (1 by maintainers)
Top Results From Across the Web
Could you update dependency "chokidar"? · Issue #250 - GitHub
I've done a few updates. Looks like chokidar was not proposed to be updated. :( I will update manually tomorrow..
Read more >Upgrade a specific dependency - npm - Stack Overflow
I am getting a message: Chokidar 2 will break on node v14+. Upgrade to chokidar 3 with 15x less dependencies. when I do...
Read more >chokidar - npm
Start using chokidar in your project by running `npm i chokidar`. There are 10404 other projects in the npm registry using chokidar.
Read more >chokidar 2 does not receive security updates since 2019 ...
Finally i got it. npm install working fine in my windows system. ... The only thing you can do is to update the...
Read more >Npm install error(fails) - M220JS - MongoDB
Hi , I downloaded the mflix-js project and used npm install and it started to show ... Upgrade to chokidar 3 with 15x...
Read more >Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start FreeTop Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
Top GitHub Comments
Any updates on this?
I get an error when I run it on my Windows 10 OS.
Error: Can’t walk dependency graph: Cannot find module ‘fsevents’ from ‘${Path}\node_modules\cypress-cucumber-preprocessor\node_modules\chokidar\lib’ in Windows 10 .
The app complains saying we have to use a version greater than 3 for chokidar
We’ve had this conversation before 😃
https://github.com/TheBrainFamily/cypress-cucumber-preprocessor/pull/190#issuecomment-511766984
Having said that - we have a good end to end test coverage now (with typescript and webpack usages), so I’ve decided to give this a try, since quite a few people keep asking and complaining. I don’t want to be difficult and force people to change their approach to security checks because of this one package. I will be merging the security bumps today as soon as they are passing on the CI.