npm audit issue with underscore.string

[cfjedimaster]

Not sure if this is an issue with this package to deal with or one lower, but I figured I'd start here. :) npm audit reveals two issues with this package related to underscore.string:

handlebars-helpers > helper-markdown > remarkable > argparse > underscore.string

[jonschlinkert]

This should really be fixed in argparse. If they release a simple patch, all libraries in the ecosystem that see that message will be fixed. Otherwise, we'll need to keep to keep hacking at the leaves.

edit: FWIW, we'll fix if we determine for sure that the maintainers of argparse are not willing or able to fix it. thanks for reporting

[cfjedimaster]

From what I saw, argparse no longer uses it.

[cfjedimaster]

Ahah - I think it is remarkable. They are not using 1.0.0 of argparse, so the blame is with them. I think. ;)

[cfjedimaster]

And there is already a bug for it - https://github.com/jonschlinkert/remarkable/issues/321. Question is - and this is maybe meta - if remarkable refuses to fix it, does blame go to helper-markdown?

[jonschlinkert]

They are not using 1.0.0 of argparse, so the blame is with them. I think. ;)

argparse > underscore.string

The problem is without a doubt with argparse.

Newer versions of argparse might not be using underscore.string, but they should (and can easily) do a patch of an older version of argparse so that all users receive the patch. If it's patched in argparse, then it will automatically be used in all downstream libraries unless they are version locked.

[cfjedimaster]

So you would file an issue with argparse?

[jonschlinkert]

Yes, one would file an issue with argparse. If it's not fixed in argparse, then every single minor and major version of every package that uses argparse will need to release a patch.

Edit: also, to be clear, this issue does not have any impact on handlebars-helpers, since the affected code is not used (argparse is only used in the remarkable CLI, which is not exposed anywhere on the API)