Outstanding Security Vulnerability via RC which is using an out of date INI version

[martin-fogelman]

Hi Folks,

Node-pre-gyp uses RC, which in turn is using an out of date ini version with a high severity prototype pollution vulnerability: https://app.snyk.io/vuln/SNYK-JS-INI-1048974

It looks like RC hasn't been updated in some time and it's already been a few weeks (granted there were holidays), so I'm escalating the issue here in case folks can help. See RC issue 120 and RC resolved but unmerged PR 121.

A quick review does seem to show that Dominic was responsive in the past re minimist? (See RC pull 114 and RC pull 115; cf. #493)

Thanks

[springmeyer]

I think node-pre-gyp can likely get away without using RC in a future release. So I may just go that direction: https://github.com/mapbox/node-pre-gyp/tree/remove-rc

[jmz527]

@springmeyer just checking in, any updates on this?

[springmeyer]

Yes, node-pre-gyp upcoming v1.0.0 release will drop rc (#552) so this issue will be resolved

[motishani]

@springmeyer do you know when the new v1.0.0 will be released?

[springmeyer]

@motishani an alpha is already available. Try doing:

npm install @mapbox/node-pre-gyp@1.0.0-alpha4 --save

[springmeyer]

@mapbox/node-pre-gyp@1.0.0 is now released, which solves this.