Update minimist to 1.2.4

opencollective / opencollective-cli

Command Line Interface for Open Collective

MIT License

17 stars 12 forks source link

Update minimist to 1.2.4 #19

Closed wi-ry closed 3 years ago

wi-ry commented 4 years ago

See https://www.npmjs.com/advisories/1179

rajgoraya-asurion commented 3 years ago

Please merge this. The current version of minimist@1.2.0 is flagged security issue by Synk

✗ Prototype Pollution [https://snyk.io/vuln/SNYK-JS-MINIMIST-559764] in minimist@1.2.0 introduced by opencollective@1.0.3 > minimist@1.2.0 This issue was fixed in versions: 0.2.1, 1.2

znarf commented 3 years ago

This package will not receive further update, we suggest to switch to it's replacement, opencollective-postinstall instead, this one doesn't have any dependency.

You can also consider removing the postinstall altogether, see: https://blog.opencollective.com/beyond-post-install/

wi-ry commented 3 years ago

Abandoning this PR based on @znarf's comments:

This package will not receive further update, we suggest to switch to it's replacement, opencollective-postinstall instead, this one doesn't have any dependency.

You can also consider removing the postinstall altogether, see: https://blog.opencollective.com/beyond-post-install/