Security vulnerability on dangling dependency of yargs "^4.8.1"

Dependabot has picked up a dependency on an old version of yargs from migrate-mongoose^4.0.0.

There is a moderately-severe security vulnerability notice on yargs-parser@2.4.1:

The latest possible version that can be installed is 2.4.1 because of the following conflicting dependencies.

The earliest fixed version is 5.0.1.

I'm not exactly sure why the old version is still being resolved by NPM/Yarn but would it be possible to bump that up?

"migrate-mongoose": {
  "version": "4.0.0",
  "resolved": "https://registry.npmjs.org/migrate-mongoose/-/migrate-mongoose-4.0.0.tgz",
  "integrity": "sha512-Zf4Jk+CvBZUrZx4q/vvYr2pRGYAo7RO4BJx/3aTAR9VhNa34/iV0Rhqj87Tflk0n14SgwZpqvixyJzEpmSAikg==",
  "requires": {
    "bluebird": "^3.3.3",
    "colors": "^1.1.2",
    "dotenv": "^8.0.0",
    "inquirer": "^0.12.0",
    "mkdirp": "^0.5.1",
    "mongoose": "^5.6.3",
    "yargs": "^4.8.1"
  }
},

"yargs": {
  "version": "4.8.1",
  "resolved": "https://registry.npmjs.org/yargs/-/yargs-4.8.1.tgz",
  "integrity": "sha1-wMQpJMpKqmsObaFznfshZDn53cA=",
  "requires": {
    "cliui": "^3.2.0",
    "decamelize": "^1.1.1",
    "get-caller-file": "^1.0.1",
    "lodash.assign": "^4.0.3",
    "os-locale": "^1.4.0",
    "read-pkg-up": "^1.0.1",
    "require-directory": "^2.1.1",
    "require-main-filename": "^1.0.1",
    "set-blocking": "^2.0.0",
    "string-width": "^1.0.1",
    "which-module": "^1.0.0",
    "window-size": "^0.2.0",
    "y18n": "^3.2.1",
    "yargs-parser": "^2.4.1"
  }
},

"yargs-parser": {
  "version": "2.4.1",
  "resolved": "https://registry.npmjs.org/yargs-parser/-/yargs-parser-2.4.1.tgz",
  "integrity": "sha1-hVaN488VD/SfpRgl8DqMiA3cxcQ=",
  "requires": {
    "camelcase": "^3.0.0",
    "lodash.assign": "^4.0.6"
  }
}

balmasi / migrate-mongoose

Security vulnerability on dangling dependency of yargs "^4.8.1" #80