Replies: 1 comment
-
|
Is this a PR already or issue already? If not, you should submit it. |
Beta Was this translation helpful? Give feedback.
0 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Uh oh!
There was an error while loading. Please reload this page.
-
Summary
@tanstack/router-plugindeclareschokidaras a production dependency, but it is only used in the webpack and rspack code paths. Vite and esbuild users never execute the chokidar code, yet it is installed in their dependency tree, bringing in transitive dependencies with known vulnerabilities (e.g.,picomatch@2.3.1viaanymatch— CVE-2026-33671, CVE-2026-33672).These CVEs are not practically exploitable in this context — chokidar is a dev-time file watcher, and the glob patterns it processes come from developer-controlled configuration, not from external input. However, having unnecessary dependencies in the tree increases the supply chain attack surface regardless of any specific CVE. Minimizing unused transitive dependencies is a worthwhile goal in its own right.
Details
In
router-generator-plugin.ts, chokidar is dynamically imported only within therspack()andwebpack()hooks to supplement their file watchers for newly created files:The Vite code path uses Vite's built-in
watchChangehook instead, and the esbuild code path does not use file watching at all.Since chokidar is already loaded via dynamic
import(), making it an optional peer dependency would not require any code changes — only apackage.jsonupdate:"dependencies": { - "chokidar": "^3.6.0", ... }, "peerDependencies": { + "chokidar": "^3.6.0", ... }, "peerDependenciesMeta": { + "chokidar": { + "optional": true + }, ... }Impact
anymatch,picomatch,glob-parent, etc.) are removed from the dependency tree, eliminating false-positive vulnerability reports and reducing supply chain attack surface.Beta Was this translation helpful? Give feedback.
All reactions