Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Remove yargs as a dependency due to security concerns #140

Open
sdasda7777 opened this issue Feb 7, 2024 · 1 comment
Open

Remove yargs as a dependency due to security concerns #140

sdasda7777 opened this issue Feb 7, 2024 · 1 comment

Comments

@sdasda7777
Copy link

Hi, could you please remove yargs as a dependency and use something else instead?

A core dependency of yargs, yargs-parser not only has vulnerabilities in the specific version you use, but seemingly hasn't been updated at all in the last two years, merge requests with additional fixes being ignored. I don't believe yargs should be trusted as a dependency when this is allowed.
@sdasda7777
Copy link
Author 

# npm audit report

yargs-parser  6.0.0 - 13.1.1
Severity: moderate
yargs-parser Vulnerable to Prototype Pollution - https://github.com/advisories/GHSA-p9pc-299p-vxgp
No fix available
node_modules/yargs-parser
  yargs  8.0.0-candidate.0 - 12.0.5
  Depends on vulnerable versions of yargs-parser
  node_modules/yargs
    mldoc  *
    Depends on vulnerable versions of yargs
    node_modules/mldoc

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@sdasda7777