You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
@tanstack/router-plugin declares chokidar as a production dependency, but it is only used in the webpack and rspack code paths. Vite and esbuild users never execute the chokidar code, yet it is installed in their dependency tree, bringing in transitive dependencies with known vulnerabilities (e.g., picomatch@2.3.1 via anymatch — CVE-2026-33671, CVE-2026-33672).
These CVEs are not practically exploitable in this context — chokidar is a dev-time file watcher, and the glob patterns it processes come from developer-controlled configuration, not from external input. However, having unnecessary dependencies in the tree increases the supply chain attack surface regardless of any specific CVE. Minimizing unused transitive dependencies is a worthwhile goal in its own right.
Details
In router-generator-plugin.ts, chokidar is dynamically imported only within the rspack() and webpack() hooks to supplement their file watchers for newly created files:
The Vite code path uses Vite's built-in watchChange hook instead, and the esbuild code path does not use file watching at all.
Since chokidar is already loaded via dynamic import(), making it an optional peer dependency would not require any code changes — only a package.json update:
Vite/esbuild users: chokidar and its transitive dependencies (anymatch, picomatch, glob-parent, etc.) are removed from the dependency tree, eliminating false-positive vulnerability reports and reducing supply chain attack surface.
webpack/rspack users: They would need to install chokidar explicitly, or the package manager would warn about an unmet optional peer dependency. A note in the docs or a helpful error message on import failure could guide them.
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
Uh oh!
There was an error while loading. Please reload this page.
-
Summary
@tanstack/router-plugindeclareschokidaras a production dependency, but it is only used in the webpack and rspack code paths. Vite and esbuild users never execute the chokidar code, yet it is installed in their dependency tree, bringing in transitive dependencies with known vulnerabilities (e.g.,picomatch@2.3.1viaanymatch— CVE-2026-33671, CVE-2026-33672).These CVEs are not practically exploitable in this context — chokidar is a dev-time file watcher, and the glob patterns it processes come from developer-controlled configuration, not from external input. However, having unnecessary dependencies in the tree increases the supply chain attack surface regardless of any specific CVE. Minimizing unused transitive dependencies is a worthwhile goal in its own right.
Details
In
router-generator-plugin.ts, chokidar is dynamically imported only within therspack()andwebpack()hooks to supplement their file watchers for newly created files:The Vite code path uses Vite's built-in
watchChangehook instead, and the esbuild code path does not use file watching at all.Since chokidar is already loaded via dynamic
import(), making it an optional peer dependency would not require any code changes — only apackage.jsonupdate:"dependencies": { - "chokidar": "^3.6.0", ... }, "peerDependencies": { + "chokidar": "^3.6.0", ... }, "peerDependenciesMeta": { + "chokidar": { + "optional": true + }, ... }Impact
anymatch,picomatch,glob-parent, etc.) are removed from the dependency tree, eliminating false-positive vulnerability reports and reducing supply chain attack surface.Beta Was this translation helpful? Give feedback.
All reactions