-
Notifications
You must be signed in to change notification settings - Fork 71
[BUG] Yargs dependency is outdated with known vulnerabilities #59
Comments
This isn't a real vulnerability, however (in like, 99% of cases the CVE implies it is one). The attack vector here is "you run the command with archaic and uniquely crafted command-line arguments, and are thus able to hijack your own command invocation". This is a risk of precisely zero. |
Hello, Would you consider upgrading to any version in the range >=13.1.2 <14.0.0 || >=15.0.1 <16.0.0 || >=18.1.2 ? |
Yes, that is the problem with overly broad CVEs - they undermine the entire system. Unfortunately that's not something individual projects can really fix. |
@bbailleux The question is who are you referring to as |
Oh. I wasn't aware of that situation. Yargs being a dependency of a dependency of a build tool, I did not dig very deep in the problem before writing. |
well, can't really call it hope anymore seeing as the second quarter ended last month, lol |
What / Why
The version of
yargs
dependency is severely outdated and contains known security vulnerability CVE-2020-7608 (yargs/yargs-parser@63810ca). That bug is fixed in yargs-parser versions 18.1.1, 13.1.2, 15.0.1When
When performing AQUA scan on the latest official nodejs v12 docker image, it finds CVE-2020-7608 which is caused by an old version of
yargs
dependency in npxThe text was updated successfully, but these errors were encountered: