minimist package 1.2.5 has critical severity vulnerability

[MikeMcC399]

Problem description

Dependabot alert shows "Prototype Pollution in minimist" with severity "Critical" for cwa-documentation with resolution "minimist": ">=1.2.6"

Steps to reproduce the issue

Execute:

npm audit

10 vulnerabilities (2 low, 3 moderate, 4 high, 1 critical)

minimist  <1.2.6
Severity: critical
Prototype Pollution in minimist - https://github.com/advisories/GHSA-xvch-5gv4-984h
fix available via `npm audit fix`
node_modules/minimist

Expected behavior

There should be no critical vulnerabilities flagged in the repository.

Possible Fix

1. Pin markdown-link-check to version ~3.8.7. This avoids failures which occur in versions 3.9 and 3.10 when executing npm run checklinks
2. Execute npm audit fix

[MikeMcC399]

• I plan to submit a PR to resolve this issue, unless the Open Source Team merges https://github.com/corona-warn-app/cwa-documentation/pull/875 (which solves the minimist issue, but not the markdown-link-check issue.)

• Before submitting a new PR which affects package-lock.json I would wait for PR https://github.com/corona-warn-app/cwa-documentation/pull/896 to be merged, otherwise there will be a conflict.

[larswmh]

@MikeMcC399 thanks for your offer to submit a PR. We would appreciate it. Your previous PR #896 has been merged

[MikeMcC399]

@larswmh

thanks for your offer to submit a PR. We would appreciate it. Your previous PR #896 has been merged.

• Thanks for merging #896! I have now submitted #898 to solve this issue.

[MikeMcC399]

• PR #898 is merged and npm audit no longer shows any critical vulnerability. 8 vulnerabilities (2 low, 3 moderate, 3 high)