yargs-parser are vulnerable to prototype pollution in version 3.4.1

[vikramdadwal]

Describe the bug

yargs-parser are vulnerable to prototype pollution in version 3.4.1

Expected behavior

should fix the security issue.

Actual behavior

yargs-parser are vulnerable to prototype pollution in version 3.4.1.

[ianschmitz]

yargs-parser@3.4.1 doesn't exist.

[navidjh]

@ianschmitz I believe this issue is referring to react-scripts version 3.4.1 not yargs-parser.

-- react-scripts@3.4.1
+-- jest@24.9.0
| -- jest-cli@24.9.0
| -- -- yargs@13.3.2
| -- -- -- yargs-parser@13.1.2
-- webpack-dev-server@3.10.3
-- -- yargs@12.0.5
-- -- -- yargs-parser@11.1.1

[pzelnip]

Why was this issue closed if the issue has not been fixed? react-scripts 3.4.1 is still vulnerable and will cause an npm audit to return non-zero:

Low Prototype Pollution 

Package yargs-parser 

Patched in >=13.1.2 <14.0.0 || >=15.0.1 <16.0.0 || >=18.1.2 

Dependency of react-scripts [dev] 

Path react-scripts > webpack-dev-server > yargs > yargs-parser 

More info https://npmjs.com/advisories/1500 

[mhassan1]

this has been resolved on master but not yet released: #8975

[pzelnip]

Any sense of when that release will be?