[BUG] Yargs dependency is outdated with known vulnerabilities

[aleybovich]

What / Why

The version of yargs dependency is severely outdated and contains known security vulnerability CVE-2020-7608 (yargs/yargs-parser@63810ca). That bug is fixed in yargs-parser versions 18.1.1, 13.1.2, 15.0.1

When

When performing AQUA scan on the latest official nodejs v12 docker image, it finds CVE-2020-7608 which is caused by an old version of yargs dependency in npx

[ljharb]

This isn't a real vulnerability, however (in like, 99% of cases the CVE implies it is one).

The attack vector here is "you run the command with archaic and uniquely crafted command-line arguments, and are thus able to hijack your own command invocation". This is a risk of precisely zero.

[bbailleux]

Hello,
I must admit that the vulnerability is actually more or less more virtual than real, but that breaks our deployment pipe-line (which includes a npm audit --prod) and prevent us to correctly interpret the result (when the alarm is always on, nobody cares).

Would you consider upgrading to any version in the range >=13.1.2 <14.0.0 || >=15.0.1 <16.0.0 || >=18.1.2 ?

[ljharb]

Yes, that is the problem with overly broad CVEs - they undermine the entire system. Unfortunately that's not something individual projects can really fix.

[karfau]

Would you consider upgrading

@bbailleux The question is who are you referring to as you?
See #30

[bbailleux]

Would you consider upgrading

@bbailleux The question is who are you referring to as you?
See #30

Oh. I wasn't aware of that situation. Yargs being a dependency of a dependency of a build tool, I did not dig very deep in the problem before writing.
Reading the comments in #30, I understand that it is way more complex than expected (and that you is currently… nobody), but with a (small?) hope to come in Q2 of 2020.

[KilianKilmister]

but with a (small?) hope to come in Q2 of 2020.

well, can't really call it hope anymore seeing as the second quarter ended last month, lol