Skip to content
This repository was archived by the owner on Dec 15, 2023. It is now read-only.

Audit report (moderate impact) via yargs dependency #182

Open
sffc opened this issue Dec 30, 2022 · 1 comment
Open

Audit report (moderate impact) via yargs dependency #182

sffc opened this issue Dec 30, 2022 · 1 comment

Comments

@sffc
Copy link

sffc commented Dec 30, 2022

There is an npm audit report on this package due to its dependency on a vulnerable version of yargs, which npm audit fix is unable to resolve.

# npm audit report

yargs-parser  <=5.0.0
Severity: moderate
yargs-parser Vulnerable to Prototype Pollution - https://github.com/advisories/GHSA-p9pc-299p-vxgp
No fix available
../shared/node_modules/yargs-parser
  yargs  4.0.0-alpha1 - 7.0.0-alpha.3 || 7.1.1
  Depends on vulnerable versions of yargs-parser
  ../shared/node_modules/yargs
    dts-gen  *
    Depends on vulnerable versions of yargs
    ../shared/node_modules/dts-gen

3 moderate severity vulnerabilities
@sffc
Copy link
Author

sffc commented Dec 30, 2022

Note that yargs is now at version 17, and the vulnerability is only in versions 4 through 7, so I think updating the yargs dependency to a newer version in dts-gen should resolve this.

# for free to subscribe to this conversation on GitHub. Already have an account? #.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@sffc