search

microsoft / dts-gen

dts-gen creates starter TypeScript definition files for any module or library.
MIT License
2.43k stars 102 forks source link

Audit report (moderate impact) via yargs dependency #182

Open sffc opened 1 year ago

sffc commented 1 year ago

There is an npm audit report on this package due to its dependency on a vulnerable version of yargs, which npm audit fix is unable to resolve.

# npm audit report

yargs-parser  <=5.0.0
Severity: moderate
yargs-parser Vulnerable to Prototype Pollution - https://github.com/advisories/GHSA-p9pc-299p-vxgp
No fix available
../shared/node_modules/yargs-parser
  yargs  4.0.0-alpha1 - 7.0.0-alpha.3 || 7.1.1
  Depends on vulnerable versions of yargs-parser
  ../shared/node_modules/yargs
    dts-gen  *
    Depends on vulnerable versions of yargs
    ../shared/node_modules/dts-gen

3 moderate severity vulnerabilities
sffc commented 1 year ago

Note that yargs is now at version 17, and the vulnerability is only in versions 4 through 7, so I think updating the yargs dependency to a newer version in dts-gen should resolve this.