Open sdasda7777 opened 6 months ago
# npm audit report
yargs-parser 6.0.0 - 13.1.1
Severity: moderate
yargs-parser Vulnerable to Prototype Pollution - https://github.com/advisories/GHSA-p9pc-299p-vxgp
No fix available
node_modules/yargs-parser
yargs 8.0.0-candidate.0 - 12.0.5
Depends on vulnerable versions of yargs-parser
node_modules/yargs
mldoc *
Depends on vulnerable versions of yargs
node_modules/mldoc
Hi, could you please remove
yargs
as a dependency and use something else instead?A core dependency of
yargs
,yargs-parser
not only has vulnerabilities in the specific version you use, but seemingly hasn't been updated at all in the last two years, merge requests with additional fixes being ignored. I don't believeyargs
should be trusted as a dependency when this is allowed.