Vulnerability in y18n (prototype pollution)

[xiniria]

Expected Behavior

When using npq (your own tool! 😋) to install lockfile-lint, it pointed out that it has 1 vulnerability, according to Snyk's Vuln DB. Actually this vulnerability is a prototype pollution in y18n@4.0.0, which is a dependency of yargs@15.4.1. It is a known vulnerability and it has been fixed a few weeks ago. Updating yargs to the latest version (16.1.1) updates y18n to version 5.0.5 and fixes the issue.

Current Behavior

Vulnerability in dependency.

Possible Solution

Update yargs to version 16.1.1.

Your Environment

• Library Version used: 4.3.7
• Node.js version (e.g. Node.js 5.4): 15.2.0
• Operating System and version (desktop or mobile): macOS Catalina 10.15.7

[xiniria]

I just realized that the Snyk bot already created a PR for that: #98

[lirantal]

Indeed it created, but thank you so much for calling this out and making sure I track it! You're a security hero, sir! 🤗 💜

[xiniria]

@lirantal The publish job failed on the CI so there is no new version after this PR, could you check what happened?

[lirantal]

Yep, I know. It's because the lockfile didn't get properly updated. I am on a temporary macbook right now so I don't have a clone of the project and the environment to fix it. If you wanted to submit a PR that updates the lockfile I'll gladly merge it, as I'll only get to this later next week.

[xiniria]

Done in #100.