search

coreybutler / node-windows

Windows support for Node.JS scripts (daemons, eventlog, UAC, etc).
Other
2.78k stars 357 forks source link

vulnerability CVE-2020-7598 is introduced by package minimist #293

Closed paimon0715 closed 2 years ago

paimon0715 commented 2 years ago

Hi, a vulnerability CVE-2020-7598 is introduced in node-windows@1.0.0-beta.5 via: node-windows@1.0.0-beta.5 ➔ optimist@0.6.1 ➔ minimist@0.0.10.

However, optimist is a legacy package, which has not been maintained for about 8 years. Is it possible to migrate optimist to other package to remediate this vulnerability?

I noticed several migration records in other js repo for optimist:

  1. in handlebars, version 4.7.3-->4.7.4, migrate optimist to yargs via commit
  2. in db-migrate, version 1.0.0-beta.2-->1.0.0-beta.3, migrate optimist to yargs via commit
  3. in http-server, version 0.12.1-->0.12.2, deprecated optimist and directly use minimist via commit

Thanks.

coreybutler commented 2 years ago

Duplicate of #273.

paimon0715 commented 2 years ago

@coreybutler Just noticed that. Thanks. This issue has been fixed via https://github.com/coreybutler/node-windows/pull/267