Dependency vulnerability with CVSS 7.5 with braces v3.0.2

[xLexip]

The latest version of this project uses braces v3.0.2 which is vulnerable to CVE-2024-4068. Severity 7.5 (high).
The issue was fixed with braces#40 in a patch release (v3.0.3).

Please consider updating braces from v3.0.2 to v3.0.3 as chokidar forwards this vulnerability to other projects like @wdio/cli.

[paulmillr]

learn how version ranges work

[xLexip]

My bad. 🤡 I trusted npm ls too much.

[gauravmankar16]

@paulmillr can you please explain what do you mean exactly?

[paulmillr]

@gauravmankar16 if chokidar depends on braces ~3.0.0, that means will be auto updated when 3.0.2 comes out. ^3.0.0 will even auto update to 3.x.y