Updated argparse package reference

[robotsrule]

Version of argparse being referenced is very old and has a security vulnerability via an old reference to underscore. argparse has been using lodash for a very long time which alleviates the vulnerability.

https://app.snyk.io/vuln/npm:underscore.string:20170908

[Rosey]

Thank you for opening this PR 🙌 here's hoping it gets merged and released soon :)

[jonschlinkert]

More detail is necessary describing how exactly this vulnerability would effect this library. Please describe how anyone would use this exploit.

A pull requet to replace argparse with a different library would be much preferred. Otherwise this is a seriously low priority as it's a "vulnerability" in the CLI.

[shellscape]

@jonschlinkert I'm a little confused as to how it can be dismissed as low priority when NPM itself is marking it as moderate. https://nodesecurity.io/advisories/745 Is there not a responsibility to mitigate these kinds of vulnerabilities with or without a reproduction or 0-day use-case, especially when the task is as simple as updating a dependency?

[jonschlinkert]

I'm a little confused as to how it can be dismissed as low priority when NPM itself is marking it as moderate.

1. Unless you are planning on attacking yourself by entering a 100k string in the terminal while running the CLI, this is not even remotely a vulnerability or security concern for remarkable.
2. People get paid for reporting those "vulnerabilities" to Snyk
3. NPM is attempting to create a competitive advantage over Yarn and other package managers by making "security" a top priority, which results in us having to see those annoying warnings in the terminal, long after any true vulnerabilities have already been addressed. Any experienced developer would know this, as you would be violating responsible disclosure otherwise.
4. Despite that, NPM knows this strategy works because common sense never prevails, and devs like you will still say things like "Is there not a responsibility to mitigate these kinds of vulnerabilities".
5. If you simply want to remove the noise from the terminal, just say that. But the real complaint should be to NPM.

If you want to continue the dialog in a thoughtful, productive way, I'd be happy to listen. If, however, you only want to troll the issue by arguing from authority, it's not going to help, as I will continue to look at facts, and not react by emotion.

[doowb]

Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS). It parses dates using regex strings, which may cause a slowdown of 2 seconds per 50k characters.

This means that if you pass a long string (50k characters?), that might look like a date, to the remarkable cli, your experience might be degraded by about 2 seconds. I don't see why anyone would do this to themselves.

Edit: Jon answered above while I was typing this out.
I agree with him on the other points he makes too, especially the part about people getting paid to submit "vulnerabilities" to Snyk. When they're doing this, it never seems like anyone uses common sense and actually looks at how the code is being used nor think about if it would actually be exploitable.

[jonschlinkert]

your experience might be degraded by about 2 seconds. I don't see why anyone would do this to themselves.

Then again, people use Yeoman and Inquirer, which do the same thing but without the vulnerability ;)

[jonschlinkert]

We will merge this in, but FWIW, argparse should have released a patch to fix this. An issue should be created with that library, it shouldn't require a bump here.

[shockey]

cc: #310