a vulnerability CVE-2020-7598 is introduced in redux-i18n

Question

a vulnerability CVE-2020-7598 is introduced in redux-i18n

ayaka-kms opened this issue 3 years ago · 7 comments

Hi, @francescarpi, a vulnerability CVE-2020-7598 is introduced in redux-i18n via:
● redux-i18n@1.5.23 ➔ optimist@0.6.1 ➔ minimist@0.0.10

optimist is a legacy package. It has not been maintained for about 8 years, and is not likely to be updated.
Is it possible to migrate optimist to other package to remediate this vulnerability?

I noticed several migration records for optimist in other js repos, such as

in handlebars, version 4.7.3-->4.7.4, migrate optimist to yargs via commit
in db-migrate, version 1.0.0-beta.2-->1.0.0-beta.3, migrate optimist to yargs via commit
in http-server, version 0.12.1-->0.12.2, deprecated optimist and directly use minimist via commit

Are there any efforts planned that would remediate this vulnerability or migrate optimist?

Thanks
; )

Answer 1 · 2022-05-11T22:22:17.000Z

Is this lib deprecated? This is a critical vulnerability I'd like to see fixed. The change is super small, I wouldn't mind making a PR for this, but it seems adding branches to this repo is prohibited

Answer 2 · 2022-10-18T09:22:57.000Z

I would also like to have it fixed. To me it looks like migrating to minimist is easily done. I would be willing to create a PR if that helps.

Answer 3 · 2022-10-18T09:26:45.000Z

Hi @AndreeWille .
I will be grateful if you can send me a PR, please.
Thanks.

Answer 4 · 2022-10-21T08:15:49.000Z

any feedback to the PR would be appreciated.

Answer 5 · 2022-10-21T08:25:41.000Z

Hi @AndreeWille ,
yes, sorry. I need to be relaxed for look your PR (and comments) with calm. I'm going to answer you soon.
Thx

Answer 6 · 2022-10-21T12:39:27.000Z

Hi @francescarpi,

thanks a lot. I totally understand that you are working on other things and might have limited time.

Answer 7 · 2022-10-21T15:50:03.000Z

PR #150 merged! Thanks a lot.