Security vulnerability in coro-fs.

[Tim Caswell]

If you have any code that depends on the .chroot() function in coro-fs, it was recently discovered that it didn't actually protect against escaping the chroot.

The most popular dependency I know of is the static asset loader for weblit.

The public https://luvit.io/ was vulnerable to this attack.  It's been patched and redeployed already.

A new version has been published.  Please update your app's deps and make sure you have coro-fs of at least version 2.2.2.

If you publish a CLI tool or an app to lit, keep in mind that all dependencies are a snapshot at time of publication.  All that's needed it to bump the version of your package and publish again and it will get a new set of all recursive dependencies in the new snapshot. (Make sure to test that none of the new libraries break your app).

-Tim Caswell