Bug report - optimist, minimist dependency security vulnerability high #70
Comments
lance-cfa
added a commit
to lance-cfa/rxjs-tslint
that referenced
this issue
Apr 8, 2020
Optimist has been deprecated over 2 years ago as has a security vulnerability. With this change we use it's successor `yargs`. Closes: ReactiveX#70
mgechev
pushed a commit
that referenced
this issue
Apr 14, 2020
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
┌───────────────┬──────────────────────────────────────────────────────────────┐ │ High │ minimist before 1.2.2 could be tricked into adding or │ │ │ modifying properties of Object.prototype using a │ │ │ "constructor" or "__proto__" payload. │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Package │ minimist │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Patched in │ 0.2.1||1.2.2 │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Dependency of │ rxjs-tslint [dev] │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Path │ rxjs-tslint > optimist > minimist │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ More info │ http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-75… │ └───────────────┴──────────────────────────────────────────────────────────────┘optimist depends on minimist, which has this security issue. optimist is no longer maintained and owner wont patch.
Suggest replacing optimist with yargs.
Solution provided here.
The text was updated successfully, but these errors were encountered: