Remove yargs as a dependency due to security concerns

logseq / mldoc

Another Emacs Org-mode and Markdown parser.

GNU Affero General Public License v3.0

233 stars 20 forks source link

Remove yargs as a dependency due to security concerns #140

Open sdasda7777 opened 6 months ago

sdasda7777 commented 6 months ago

Hi, could you please remove yargs as a dependency and use something else instead?

A core dependency of yargs, yargs-parser not only has vulnerabilities in the specific version you use, but seemingly hasn't been updated at all in the last two years, merge requests with additional fixes being ignored. I don't believe yargs should be trusted as a dependency when this is allowed.

sdasda7777 commented 6 months ago

# npm audit report

yargs-parser  6.0.0 - 13.1.1
Severity: moderate
yargs-parser Vulnerable to Prototype Pollution - https://github.com/advisories/GHSA-p9pc-299p-vxgp
No fix available
node_modules/yargs-parser
  yargs  8.0.0-candidate.0 - 12.0.5
  Depends on vulnerable versions of yargs-parser
  node_modules/yargs
    mldoc  *
    Depends on vulnerable versions of yargs
    node_modules/mldoc