Security Issue: transitive dependency y18n@4.0.0 is vulnerable

[gauravshah27]

Here is the dependency tree for showdown:
showdown@1.9.1   -- yargs@14.2.3     -- y18n@4.0.0

The y18n@4.0.0 has been marked vulnerable and we are being hit with the following vulnerability: https://snyk.io/vuln/SNYK-JS-Y18N-1021887

The remediation section of the issue linked above mentions upgrading the y18n dependency to 5.0.5.
The latest version of yargs (16.1.1) is already updated to use y18n@5.0.5 Is there a release for showdown in the works where the yargs version would be updated to the latest to resolve this issue?

Any update or workaround for this will be greatly appreciated. Thanks.

[Ltchoc221]

I have run into this as well - is this possible?

[Directory]

yikes. even if there is a solution to update the dependency nobody will publicly get it since the library has been abandoned for a year now.

[obedm503]

library is not abandoned. see #833

@gauravshah27 you could try updating yargs directly. if you're using yarn you can use resolutions. I imagine npm has some equivalent.

[Directory]

yea, that means the library is abandoned...

[gauravshah27]

@obedm503 I know yarn definitely has the resolutions built in. npm doesn't have an equivalent as of yet and there are third party packages available that rewrite the package-lock.json (and hence the dependency tree) but that solution in itself does not scale and is not feasible in a CI environment as well (you have to add preinstall scripts and resolutions section in the package.json dynamically). So the cleanest approach for this would be to update the dependency itself that pulls in all these transitives. Thanks for the suggestion though.

[SyntaxRules]

Fixed on master. Will release with v2.0.0