Closed brettz9 closed 3 years ago
@brettz9 You can enforce the right version of minimist
if you use yarn by using the resolutions
feature in your package.json
file. I've successfully removed the vulnerability through this commit
Edited to point out that this solution will not work as of today if you use npm
@debrice: Yes, thank you, but not every project is using Yarn.
+1
Bump
I might be mistaken but I found that installing npm-force-resolutions as a dev dependency and adding the following into the package.json
"resolutions": {
"minimist": "^1.2.5",
},
as well as the following script into my package.json: "preinstall": "npx npm-force-resolutions"
By then running npm run preinstall
and then npm i
it seemed to remove the audit issue around using minimist.
Looks like it's dead, last commit on master in 2018? Is there still somebody to merge? Then I maybe make a fork with a fix.
Is installing npm-force-resolutions as a dev dependency still the only (recommended) solution to the optimist/minimist issue?
npm audit
Low Prototype Pollution Package minimist Patched in >=0.2.1 <1.0.0 || >=1.2.3 Dependency of optimist Path optimist > minimist More info https://npmjs.com/advisories/1179
Closed by #227.
The dependency
optimist
depends on a vulnerable version ofminimist
(see https://npmjs.com/advisories/1179).Despite having an issue and PR filed with
optimist
, since the last commit on optimist was 6 years ago, and since the package is deprecated (and it has also been awaiting a fix for a proper license specifier, making automated license audits problematic in the interim), it'd be really nice if you could drop theoptimist
dependency, perhaps using one of its suggested replacements (yargs, nomnom, or usingminimist
directly, though if the latter, I'd hope pegging against the maintained major bump).(I personally like
command-line-args
, as one can use it withcommand-line-usage
or mycommand-line-publish
/command-line-basics
tools to get documentation (both at the command line and as SVG, allowing embedding in a README) from a simple declarative schema.)Thanks!