New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
yargs-parser vulnerability #2438
Comments
Please use the search mechanism on the issue tracker before opening a ticket - we have answered this question probably 40 times.
|
14 tasks
Bradshaw
pushed a commit
to Bradshaw/gulp-do-merge
that referenced
this issue
Apr 29, 2021
``` yargs-parser <=13.1.1 || 14.0.0 - 15.0.0 || 16.0.0 - 18.1.1 Prototype Pollution - https://npmjs.com/advisories/1500 fix available via `npm audit fix --force` Will install gulp@3.9.1, which is a breaking change node_modules/yargs/node_modules/yargs-parser yargs 4.0.0-alpha1 - 12.0.5 || 14.1.0 || 15.0.0 - 15.2.0 Depends on vulnerable versions of yargs-parser node_modules/yargs gulp-cli >=2.0.0 Depends on vulnerable versions of yargs node_modules/gulp-cli gulp >=4.0.0 Depends on vulnerable versions of gulp-cli node_modules/gulp 4 low severity vulnerabilities ``` there are still "low severity" vulnerabilities in yargs-parser used by gulp, which doesn't have an attack vector: gulpjs/gulp#2438 (comment)
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Hey guys,
npm is reporting a Prototype Pollution vulnerability on the yargs-parser dependency
Low Prototype Pollution
Package yargs-parser
Patched in >=13.1.2 <14.0.0 || >=15.0.1 <16.0.0 || >=18.1.2
Dependency of gulp-sass [dev]
Path gulp-sass > node-sass > sass-graph > yargs > yargs-parser
More info https://npmjs.com/advisories/1500
The text was updated successfully, but these errors were encountered: