Prototype pollution in yargs-parser - Githubissues

shellscape / webpack-command

A superior CLI experience for webpack. Modular and opinionated.

MIT License

2 stars 1 forks source link

Prototype pollution in yargs-parser #8

Open Bratelion opened 2 years ago

Bratelion commented 2 years ago

Operating System: MacOSX 11.4 (Big Sur)
Node Version: 14.17.3
NPM Version: 6.14.13
webpack Version: 4.41.5
webpack-command Version: 0.5.1

Expected Behavior

Dependencies should not have possible Prototype Pollution issues

Actual Behavior

Screenshot 2021-12-07 at 11 00 18

How Do We Reproduce?

Running yarn audit or npm audit in command window should show one of the Moderate issues : Prototype Pollution in yargs-parser.

How To Fix?

Update meow to a version 7.0 or above, since those versions use yargs-parser v18.1.3 and above, that state they have patched this issue in those versions.

shellscape commented 2 years ago

This is one of those "vulnerabilities" that isn't. Dont get too hung up on these for local development tools. Sorry, won't be resolving this anytime soon.