nrwl/schematics using insecure yargs-parser version

[keradus]

when installing newest @nrwl/schematics, received yargs-parser version is exposed to security issue: https://github.com/advisories/GHSA-p9pc-299p-vxgp

"@nrwl/schematics": "^8.12.11",

"@nrwl/schematics@^8.12.11":
  version "8.12.11"
  resolved "https://registry.yarnpkg.com/@nrwl/schematics/-/schematics-8.12.11.tgz#527ae2f92493dc90e2141a2f5bc0cf9c3b6d0e38"
  integrity sha512-z3Zmpq8F0OJiS657ClJhJepTloC+Grt0GHYlHRcyLlJ1EwDmYOZrhcMhE6lvtjs06bvnPk4GSeqyOt2nbhmqsw==
  dependencies:
    "@nrwl/angular" "8.12.11"
    "@nrwl/workspace" "8.12.11"
    app-root-path "^2.0.1"
    cosmiconfig "4.0.0"
    fs-extra "6.0.0"
    graphviz "0.0.8"
    ignore "5.0.4"
    opn "^5.3.0"
    prettier "1.16.4"
    rxjs "^6.4.0"
    semver "5.4.1"
    strip-json-comments "2.0.1"
    tmp "0.0.33"
    viz.js "^1.8.1"
    yargs "^11.0.0"
    yargs-parser "10.0.0" <<< affected

can you pls update yargs-parser for schematics package, please? thanks!

[AgentEnder]

nrwl/schematics is not a maintained package, it's been replaced by a few others in this repo which have been updated.

[keradus]

@AgentEnder , thanks for the info, I was not aware! can you please guide me which of them to use instead? (a link to place it's described, if existing, will be more than enough!)

[AgentEnder]

Which schematics from that collection were you using?

[keradus]

oh my, some automation added nrwl/schematics to my package.json, when removed manually, everything still works.. looks like it was not used. thanks for your support!

[github-actions[bot]]

This issue has been closed for more than 30 days. If this issue is still occuring, please open a new issue with more recent context.