search

jprichardson / node-fs-extra

Node.js: extra methods for the fs object like copy(), remove(), mkdirs()
MIT License
9.43k stars 775 forks source link

Your minimist version is out of date needs to be updated to 1.2.6 or later #1017

Closed JoyMace closed 9 months ago

JoyMace commented 11 months ago

Hey there, I followed the dependency tree for an app I use that can no longer be installed because node-fs-extra is a dependency of a dependency and minimist is a dependency of node-fs-extra and any pre 1.2.6 version of minimist has a prototype pollution bug that means antivirus software will flat out not allow anything using it to be installed.

https://www.npmjs.com/package/minimist (see security section)

Please update your packages if possible. (and sorry this doesn't follow the standard issue format... I don't directly use this package so none of the info is really relevant, but I will answer any questions I'm able to and asked.)

Thanks so much!

RyanZim commented 11 months ago

fs-extra does not depend on minimist for production use; we use it in development, not in production. However, there might be a super old version that somehow depends on it. What version of fs-extra do you have in your dependency tree?