fix(deps): security vulnerability in yargs-parser

[Ionaru]

• This is a bugfix
• This is a feature
• This is a code refactor
• This is a test update
• This is a docs update
• This is a metadata update

For Bugs and Features; did you add new tests?

No.

Motivation / Use-Case

It fixes #2559

Additional Info

Running npm audit -production for webpack-dev-server complains about mkdirp as well, this should be looked into by the Webpack team.

[codecov]

Codecov Report

Merging #2566 into master will not change coverage.
The diff coverage is n/a.

@@           Coverage Diff           @@
##           master    #2566   +/-   ##
=======================================
  Coverage   93.77%   93.77%           
=======================================
  Files          34       34           
  Lines        1333     1333           
  Branches      381      381           
=======================================
  Hits         1250     1250           
  Misses         81       81           
  Partials        2        2           

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 375ab23...840233f. Read the comment docs.

[alexander-akait]

/cc @Loonride @hiroppy I think we can update this, because latest webpack-cli uses https://github.com/webpack/webpack-cli/blob/v3.3.11/package.json#L126

[nkmdk-007]

👍

[hiroppy]

Need to fix CI at first.

[Ionaru]

@hiroppy do the CI failures on this PR have anything to do with the change I made? Tests on master fail as well, on my local machine I had 3 tests fail on master before my change and the same amount after my change.

[hiroppy]

@Ionaru ok, sorry. But we can't merge this PR if CI fails. Currently, we are working on v4 branch to release the new major version. V4 branch's CI is green so if you want to continue to work this PR, please change the targeted branch from master. (also actually, this change is a breaking change.)

https://github.com/webpack/webpack-dev-server/tree/v4

Thanks.

[Ionaru]

I don't think it's correct to have locked #2559.
This audit failure impacts many developers, pretty much everyone using Angular, and now it's locked because of "spam"? There's been no unrelated discussion on the issue, locking it prevents people from adding a 👍 as indication of priority or desire for the issue to be resolved.

I think the proper course of action is to either unlock it, or to have a Webpack member add a statement that the issue is being worked on.

[Ionaru]

(also actually, this change is a breaking change.)

How is it a breaking change? As far as I'm aware, the public webpack API (or CLI) does not change.

[hiroppy]

@Ionaru Yes, I know. So we decided to upgrade this package but we are working on v4 branch to release the new major version ASAP. I wanna say would you continue to work on your PR? If you reject this thing, I'll work on it.

[ashfordneil]

Given that this is a security fix rather than a regular PR, shouldn’t publishing it and making it available to users (angular was mentioned above, create react app also depends on this) be pushed through sooner rather than later.

While I get that normally punting things to the upcoming release makes sense, in this context it feels like you’re refusing to back-port security updates to version 3 before version 4 is even out.

[alexander-akait]

@Ionaru

This audit failure impacts many developers, pretty much everyone using Angular, and now it's locked because of "spam"?

To avoid messages like: "same here", "please update" and etc

While I get that normally punting things to the upcoming release makes sense, in this context it feels like you’re refusing to back-port security updates to version 3 before version 4 is even out.

No, we want to do release, just wait other developers

Merged, but give me time for testing locally, due problem on CI