Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Upgrade tsconfig-paths dependency to v4 #2448

Closed
lu-zen opened this issue May 5, 2022 · 1 comment
Closed

Upgrade tsconfig-paths dependency to v4 #2448

lu-zen opened this issue May 5, 2022 · 1 comment

Comments

@lu-zen
Copy link

lu-zen commented May 5, 2022

Hi.

The version of tsconfig-paths used in this project depends on minimist package, which has a critical security vulnerability in a older version.

I think updating it to latest major version of tsconfig-paths that depends on a patched version of minimist should resolve the issue.
@ljharb
Copy link
Member

ljharb commented May 5, 2022

That would require a breaking change, and is already being discussed in #2447.

Additionally, this is an invalid CVE; a Prototype Pollution attack in a CLI arg parsing tool (minimist) is a self-attack and thus, not an attack; additionally, https://unpkg.com/browse/tsconfig-paths@3.14.1/package.json depends on a version of minimist that is not vulnerable, so the CVE in no way requires a v4 upgrade.

@ljharb ljharb closed this as not planned Won't fix, can't repro, duplicate, stale May 5, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@ljharb @lu-zen