strong-globalize is built on Unicode CLDR and jquery/globalize and implements automatic extraction of strings from JS source code and HTML templates, lint the string resource, machine-translate them in seconds. In runtime, it loads locale and string resource into memory and provides a hook to persistent logging.
Other
25
stars
16
forks
source link
a vulnerability CVE-2020-7598 is introduced in strong-globalize-cli #179
Hi, @raymondfeng, a vulnerability CVE-2020-7598 is introduced in strong-globalize-cli via:
● strong-globalize-cli@7.1.0 ➔ optimist@0.6.1 ➔ minimist@0.0.10
optimist is a legacy package. It has not been maintained for about 8 years, and is not likely to be updated.
Is it possible to migrate optimist to other package to remediate this vulnerability?
I noticed several migration records for optimist in other js repos, such as
in handlebars, version 4.7.3-->4.7.4, migrate optimist to yargs via commit
in db-migrate, version 1.0.0-beta.2-->1.0.0-beta.3, migrate optimist to yargs via commit
in http-server, version 0.12.1-->0.12.2, deprecated optimist and directly use minimist via commit
Are there any efforts planned that would remediate this vulnerability or migrate optimist?
Hi, @raymondfeng, a vulnerability CVE-2020-7598 is introduced in strong-globalize-cli via: ● strong-globalize-cli@7.1.0 ➔ optimist@0.6.1 ➔ minimist@0.0.10
optimist is a legacy package. It has not been maintained for about 8 years, and is not likely to be updated. Is it possible to migrate optimist to other package to remediate this vulnerability?
I noticed several migration records for optimist in other js repos, such as
Are there any efforts planned that would remediate this vulnerability or migrate optimist?
Thanks ; )