In our project's security dependabot alerts, we have a critical alert that we can trace back to this package:
Prototype Pollution in minimist
The latest possible version of minimist that can be installed is 0.0.5.
The earliest fixed version is 1.2.6
We use osmtogeojson 3.0.0-beta.4, which depends on @mapbox/geojson-rewind @0.4.0, which itself has a dependencies to minimist 1.2.0 and sharkdown ^0.1.0, which depends on minimist 0.0.5.
If this plugin could depend on ^0.4.0 instead of 0.4.0, the dependency alert could probably be fixed.
vavsab
commented
1 year ago
In our project's security dependabot alerts, we have a critical alert that we can trace back to this package:
We use osmtogeojson 3.0.0-beta.4, which depends on @mapbox/geojson-rewind @0.4.0, which itself has a dependencies to minimist 1.2.0 and sharkdown ^0.1.0, which depends on minimist 0.0.5.
If this plugin could depend on ^0.4.0 instead of 0.4.0, the dependency alert could probably be fixed.