Closed jacob-lassen closed 4 years ago
Is this something to be afraid of, if db-migrate is used only in as a dev dependency?
Depends how the code is packaged for deployment. We build a code package that is then pushed to production. db-migrate is then ran as part of the start up script for the application. This will only work when it's installed as a production dependency. Currently i have added the --audit-level=moderate flag npm audit.
Furthermore optimist is deprecated: https://github.com/substack/node-optimist#deprecation-notice
We should update this library to use one of the recommended other packages...
agreeing, I thought about replacing it anyways already. so either an alternative like in this effort here https://github.com/db-migrate/node-db-migrate/pull/675 or replace it with commander
For reference, there is an open PR for replacing optimist with yargs (see https://github.com/db-migrate/node-db-migrate/pull/679).
A similar approach was used to resolve vulnerabilities in Handlebars (see https://github.com/wycats/handlebars.js/pull/1666).
Optimist inherits a vulnerability from a older version of minimist. This causes npm audit to fail. Because optimist is no longer being maintained i think the best solution would be to use minimist directly.
Solution Use minimist directly and bypass the need for optimist