Open anirudhb-sf opened 2 years ago
@mafintosh and @TrySound this is a fairly important one.
We're getting nicked on our corporate security scans, and we don't particularly want to refactor all of our projects to use a different lib, as this one is well made and that's a lot of tech debt to take on.
PR #215 eliminates the dependency entirely, PR #216 upgrades the existing dependency.
Expected Behavior / Situation
N/A
Actual Behavior / Situation
minimist
:v1.2.5
brings in a security vulnerability which is currently has no fix. The following dependency chain makescsv-parser
a vulnerable package: csv-parser@3.0.0 › minimist@1.2.5.Modification Proposal
Request for a security fix to make
csv-parser
package free from security vulnerabilities. We may shift to usingminimist-lite
as suggested here / eliminate the usage ofminimist
by providing a implementation to parse command line args