Describe the bug
Current versions of the react-reactive-form package depend on opencollective@1.0.3
This package is end-of-life -- will not see further updates, yet transitively depends on versions of the the minimist package that are vulnerable to two cases of prototype pollution. By extension this leaves consumers of the react-reactive-form package with a vulnerable version of minimist in their tree.
To Reproduce
Install the react-reactive-form package.
Run npm audit.
Expected behavior
No security vulnerabilities in the package tree by removing the dependency on opencollective.
(Note also that OpenCollective itself actively discourages continued use of their old solutions that hang off of postinstall scripts. They encourage using the built-in npm fund functionality instead.)
Describe the bug Current versions of the
react-reactive-formpackage depend onopencollective@1.0.3This package is end-of-life -- will not see further updates, yet transitively depends on versions of the the minimist package that are vulnerable to two cases of prototype pollution. By extension this leaves consumers of thereact-reactive-formpackage with a vulnerable version of minimist in their tree.To Reproduce
react-reactive-formpackage.npm audit.Expected behavior No security vulnerabilities in the package tree by removing the dependency on opencollective.
(Note also that OpenCollective itself actively discourages continued use of their old solutions that hang off of postinstall scripts. They encourage using the built-in
npm fundfunctionality instead.)