Closed liammulh closed 1 year ago
In https://www.npmjs.com/package/minimist#security I found that there was actually another security problem a bit later on in 1.2.5.
We use this library very sparingly, just for parsing runtime options:
I looked through the changelog and nothing seemed breaking https://github.com/minimistjs/minimist/blob/main/CHANGELOG.md
I then checked out a local copy of it and ensured it looked the same as our current expected usage:
// js.js
console.log( require( 'minimist' )( process.argv.slice( 2 ), { boolean: true } ) );
mjkauzmann ~/PHET/git/sandbox
$ node js.js -h --help fjkdls fdjkl
--> { _: [ 'fjkdls', 'fdjkl' ], h: true, help: true }
This is low stakes and good to do, so I committed. @liammulh can you please spot check.
Looks good, thanks, @zepumph.
Yesterday I pushed to perennial, and I saw this:
I would do the upgrade myself, but in
package.json
we have"minimist": "~1.1.1"
which I believe means we want minimist to get upgrades up to but not including 1.2.0. The version that has the patch for the vulnerability is 1.2.3. So unless someone says “yeah, it’s okay to upgrade it” I am not going to touch it.