several vulnerabilities CVE-2020-15168,CVE-2020-7598 are introduced in strider

[ayaka-kms]

Hi, several vulnerabilities CVE-2020-15168,CVE-2020-7598 are introduced in strider via: ● strider@2.4.20 ➔ opencollective@1.0.3 ➔ minimist@1.2.0

However, opencollective is a legacy package, which has not been maintained for about 4 years. Is it possible to migrate opencollective to other package to remediate this vulnerability?

I noticed several migration records in other js repo for opencollective:

1. in commitizen, version 2.10.1 ➔ 3.0.0, remove opencollective via commit
2. in fast-xml-parser, version 3.3.0 ➔ 3.3.1, remove opencollective via commit
3. in react-slick, version 0.12.1 ➔ 0.12.2, remove opencollective via commit
4. in level, version 3.0.1 ➔ 3.0.2, migrate opencollective to opencollective-postinstall via commit
5. in ngx-infinite-scroll, version 7.0.1 ➔ 7.1.0, migrate opencollective to opencollective-postinstall via commit
6. in inferno, version 7.1.8 ➔ 7.1.9, migrate opencollective to opencollective-postinstall via commit

Are there any efforts planned that would remediate this vulnerability or migrate opencollective?

Thanks.

[knownasilya]

Thanks for the issue. Will most likely remove it, although it's not really a vulnerability since the dep is not used on the server itself and there is no way for outside users to pass args to minimist.