Skip to content
This repository has been archived by the owner on Dec 15, 2023. It is now read-only.

Audit report (moderate impact) via yargs dependency #182

Open
sffc opened this issue Dec 30, 2022 · 1 comment
Open

Audit report (moderate impact) via yargs dependency #182

sffc opened this issue Dec 30, 2022 · 1 comment

Comments

@sffc
Copy link

sffc commented Dec 30, 2022

There is an npm audit report on this package due to its dependency on a vulnerable version of yargs, which npm audit fix is unable to resolve.

# npm audit report

yargs-parser  <=5.0.0
Severity: moderate
yargs-parser Vulnerable to Prototype Pollution - https://github.com/advisories/GHSA-p9pc-299p-vxgp
No fix available
../shared/node_modules/yargs-parser
  yargs  4.0.0-alpha1 - 7.0.0-alpha.3 || 7.1.1
  Depends on vulnerable versions of yargs-parser
  ../shared/node_modules/yargs
    dts-gen  *
    Depends on vulnerable versions of yargs
    ../shared/node_modules/dts-gen

3 moderate severity vulnerabilities
@sffc
Copy link
Author

sffc commented Dec 30, 2022

Note that yargs is now at version 17, and the vulnerability is only in versions 4 through 7, so I think updating the yargs dependency to a newer version in dts-gen should resolve this.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@sffc