Update minimist to 1.2.3 or later

[p1ho]

Hello, just found this out, so wanted to open an issue.

minimist released a security statement to use version 1.2.3 or later due to a prototype pollution bug

minimist is not a top level dependency (It's not in package.json), but it is present in package-lock.json (a word search reveals 21 occurrences)

This means projects with flat-cache as dependency and a build process that includes checking vulnerability (through $ npm audit) might have a fail build because of it. I was wondering if you can please take a look, thanks!

[jfoclpf]

Please update the write dependency asap to v 2.0.0. That's what is disseminating the vulnerability

[SuperITMan]

This should be solved by #46

[royriojas]

Is this a real issue? I mean, it is a devDependency for this project, how is it that minimist ended being installed? is it a dependency of flatted or rimraf?

[SuperITMan]

Hello @royriojas

Actually, the description of the issue is not 100% correct. As @jfoclpf mentioned, the dependency write of flat-cache has be updated to version > 2.0.0 asap. Because

flat-cache - 2.0.1:
  - write - 1.0.3: 
    - mkdirp - ^0.5.0:
      - minimist - 0.0.8

Thanks for your lib 😊

[yumetodo]

To update write to >=2.0.0, please drop support node.js < 10 and merge #46.

[jaredwray]

@yumetodo - we will be removing nodejs 10 support in the upcoming weeks.