Upgrade to chokidar 4

[benmccann]

Chokidar v4 is out now. It drops a dozen dependencies, so is much smaller and lighter

[remy]

I need to check this fairly carefully for any breaking changes. If it's all good, then I will do, but there's no high priority to bump the dep just yet (especially as it's just come out).

[benmccann]

The big breaking change is that it dropped support for glob syntax, so any glob usage needs to be handled on the user's side: https://github.com/paulmillr/chokidar?tab=readme-ov-file#upgrading

[github-actions]

This issue has been automatically marked as idle and stale because it hasn't had any recent activity. It will be automtically closed if no further activity occurs. If you think this is wrong, or the problem still persists, just pop a reply in the comments and @remy will (try!) to follow up.
Thank you for contributing <3

[benmccann]

Still exists as a to-do

[github-actions]

This issue has been automatically marked as idle and stale because it hasn't had any recent activity. It will be automtically closed if no further activity occurs. If you think this is wrong, or the problem still persists, just pop a reply in the comments and @remy will (try!) to follow up.
Thank you for contributing <3

[benmccann]

Still exists as a to-do

[github-actions]

This issue has been automatically marked as idle and stale because it hasn't had any recent activity. It will be automtically closed if no further activity occurs. If you think this is wrong, or the problem still persists, just pop a reply in the comments and @remy will (try!) to follow up.
Thank you for contributing <3

[benmccann]

Still exists as a to-do

[lgugla]

Any update here as in chokidar 3.6 there is a dependency of braces package which have a high vulnerability reported in our scans. As in chokidar 4 this dependency is removed and the vulnerability will get auto fixed.

Please update to chokidar 4.x so that vulnerability get fixed in this package.

[remy]

@lgugla it's worth doing your reading rather than blindly reporting what vuln auto tools report: #2203

You're not alone though, often vulns are reported when they're nonsense.

[remy]

I'm guessing no one has wanted to contribute to this issue to see if it breaks backward support, so I'll do it when I've got time.

I'm guessing the only tangible benefit is ticking that security box around the false positive flag on braces, or is there something else that's significantly better? (this will help inform the priority)

[benmccann]

As mentioned in the issue description, it also drops a dozen dependencies so results in smaller installs and less supply chain risk