"high" severity vulnerability via liftoff dependency

[mcandre]

$ npm audit
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High          │ Prototype Pollution                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ set-value                                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ grunt-cli [dev]                                              │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ grunt-cli > liftoff > findup-sync > micromatch > braces >    │
│               │ snapdragon > base > cache-base > set-value                   │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/1012                            │
└───────────────┴──────────────────────────────────────────────────────────────┘

[shama]

Strange on a fresh install I don't see that:

But set-value@2.0.1 does get installed. Even when installing the latest liftoff so we might need wait for https://github.com/js-cli/js-liftoff/issues/107 to be resolved and then update here.

[mcandre]

Something weird is going on. When I run npm audit against grunt-cli master branch, I get no warnings. But when I import grunt-cli 1.3.2 into another project, I get dozens of warnings for grunt-cli dependencies.

Regards liftoff, the project has lapsed. I published a fork with the security patches:

https://www.npmjs.com/package/liftoff2

[Krinkle]

Closing, because use of liftoff was temporary while issues with liftoff were addressed. https://github.com/gulpjs/liftoff has resumed maintenance since then, and is used by grunt-cli 1.4.2+.