Security: ReDoS vulnerability in picomatch (CVE-2026-33671) via chokidar dependency

## Description

`@rspack/dev-server` is affected by **CVE-2026-33671** — a Regular Expression Denial of Service (ReDoS) vulnerability in `picomatch` (CVSS 7.5 HIGH).

Certain extglob patterns (`+()`, `*()`) with overlapping alternatives or nested extglobs can trigger excessive backtracking, causing CPU exhaustion and blocking the Node.js event loop.

**CVE details:** https://nvd.nist.gov/vuln/detail/CVE-2026-33671

## Dependency chain

```
picomatch@2.3.2
└── anymatch@3.1.3
    └── chokidar@3.6.0
        └── @rspack/dev-server@1.2.1
```

## Suggested fix

Update `chokidar` to v4+, which no longer depends on `picomatch`/`anymatch` at all, eliminating this vulnerability entirely.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Security: ReDoS vulnerability in picomatch (CVE-2026-33671) via chokidar dependency #173

Description

Dependency chain

Suggested fix

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Security: ReDoS vulnerability in picomatch (CVE-2026-33671) via chokidar dependency #173

Description

Description

Dependency chain

Suggested fix

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions