Currently nlf has a hard coded dependency on version 3.1.0 of glob-all and due to this, through a few other dependencies, it ends up pulling in minimist 0.1.0 which has known security issues. This has been resolved in the latest version of glob-all (3.2.1).
Note: I'd also suggest against using hard coded dependencies if possible and instead use something like glob-all@^3.1.0 to prevent this happening in future. That does rely on other projects following semver properly, but it's less of a risk than being stuck at a specific version that has potential security issues.
Currently
nlfhas a hard coded dependency on version 3.1.0 ofglob-alland due to this, through a few other dependencies, it ends up pulling inminimist0.1.0 which has known security issues. This has been resolved in the latest version ofglob-all(3.2.1).Note: I'd also suggest against using hard coded dependencies if possible and instead use something like
glob-all@^3.1.0to prevent this happening in future. That does rely on other projects following semver properly, but it's less of a risk than being stuck at a specific version that has potential security issues.