Snyk vulnerability: minimist

[hspinks]

Snyk report finds a Medium Severity issue with minimist@0.0.8 introduced through react-scripts@3.4.0: https://app.snyk.io/vuln/SNYK-JS-MINIMIST-559764

Snyk's suggested remediation:

Your dependencies are out of date, otherwise you would be using a newer minimist than minimist@0.0.8. Try relocking your lockfile or deleting node_modules, reinstalling and running snyk wizard. If the problem persists, one of your dependencies may be bundling outdated modules.

[RohanTalip]

See also facebook/create-react-app#8663 and facebook/create-react-app#8672

[RohanTalip]

@hspinks do you have a link to the full report? I'm curious what the path through the dependency tree from react-scripts@3.4.0 to minimist@0.0.8 is ... (as minimist@0.0.8 doesn't appear to be a direct dependency of react-scripts@3.4.0)

[hspinks]

@RohanTalip good question. here are the 2 paths:

whoapp@0.0.1 › react-scripts@3.4.0 › eslint-loader@3.0.3 › loader-fs-cache@1.0.2 › mkdirp@0.5.1 › minimist@0.0.8

and

whoapp@0.0.1 › react-scripts@3.4.0 › eslint-loader@3.0.3 › loader-fs-cache@1.0.2 › find-cache-dir@0.1.1 › mkdirp@0.5.1 › minimist@0.0.8

[RohanTalip]

I'm guessing this can be closed since we're going with the Flutter implementation?