Fix security vulnerability CVE-2019-20149

[RedMickey]

Hello, I'm a member the development team of VS Code extensions for debugging Cordova and React Native applications. Several vulnerabilities were revealed in chokidar package dependencies. The package causing a security issue is kind-of. Detailed info about CVE-2019-20149 vulnerability is available here. The vulnerability has been already fixed. It's recommended to update outdated dependencies.

[paulmillr]

What are you talking about? Chokidar doesn't depend on kind-of.

[RedMickey]

@paulmillr, oh now I see, that was our fault. It seems that there was a mistake in our audit tools. Sorry for bothering you.

[edwardgalligan]

What are you talking about? Chokidar doesn't depend on kind-of.

@paulmillr @RedMickey chokidar does depend on kind-of.

I see the following listed in chokidar's package.json file

• "anymatch": "~3.1.1", depends on kind-of
• "braces": "~3.0.2", depends on kind-of
• "readdirp": "~3.3.0" depends on kind-of

Pretty worrying to see a CVE so rapidly dismissed on such a popular package.

[paulmillr]

@edwardgalligan bullshit. Do your research. I take security very seriously.

Anymatch has 2 dependencies:

https://www.npmjs.com/package/picomatch
https://www.npmjs.com/package/normalize-path

Each of those have 0 dependencies. No kind-of.

Braces has one dep fill-range, which has one dep to-regex-range, which has one dep is-number.

Readdirp has only picomatch.