dschach
commented
2 years ago Or perhaps the vulnerability is because babel/core uses json5, which uses minimist. If so, please disregard.
Closed dschach closed 2 years ago
dschach
commented
2 years ago Or perhaps the vulnerability is because babel/core uses json5, which uses minimist. If so, please disregard.
dschach
commented
2 years ago Babel is in the process of releasing a new version, so please use that when it comes out. Thanks!
pmdartus
commented
2 years ago Thanks for reaching out @dschach. There is no need to update eslint-config-lwc to resolve minimist security vulnerability.
Minimist is a transitive dependency of both eslint-plugin-import and @babel/core. Those transitive dependencies use minor version matching (via ^). Since minimist prototype pollution vuln has been fixed in 1.2.6, you can just update your lockfile to point to the latest minimist version.
Minimist <=1.2.5 has a vulnerability. Minimist 1.2.6 may be safer, though dependabot does not confirm this. Snyk does say no found vulnerabilities. https://snyk.io/test/npm/minimist/1.2.6
Minimist says they have patched their problem: https://github.com/substack/minimist#security