Usage of exact version of minimist

[z0r0132]

The version used for minimist is 1.2.0. minimist before 1.2.2 could be tricked into adding or modifying properties of Object.prototype using a "constructor" or "proto" payload.

I cannot change in my project, even if I install latest of minimist, karma-mocha still install 1.2.0 and uses it, can you please check that and update, it is critical in my project. Thanks

[franktopel]

To whoever is able to maintain this project:

Additional information

Please see https://npmjs.com/advisories/1179 as of what exactly is the problem here.

karma itself has this problem, and they have addressed it in this commit. The only thing currently preventing @johnjbarton from releasing a new version of karma containing that fix seems to be Travis-related problems which aforementioned repo owner announced to address today.

Please upgrade your dependency asap to a version >= 1.2.3.

[franktopel]

@johnjbarton The latest release of this package dates back to 2016. Who can issue a new release with this fix in it?

[johnjbarton]

I will work on semantic-release...after I get it to work on the karma-runner/karma project.

[franktopel]

I think this can be closed as of release 2.0.0.