Customizr dependency optimist is deprecated and should be replaced with yargs to remedy prototype pollution
rediris opened this issue · 4 comments
rediris commented
=== npm audit security report ===
Manual Review
Some vulnerabilities require your attention to resolve
Visit https://go.npm.me/audit-guide for additional guidance
Low Prototype Pollution
Package minimist
Patched in >=0.2.1 <1.0.0 || >=1.2.3
Dependency of gulp-modernizr [dev]
Path gulp-modernizr > customizr > optimist > minimist
More info https://npmjs.com/advisories/1179
See: https://www.npmjs.com/advisories/1179
Also see the deprecation notice at the top of: https://www.npmjs.com/package/optimist
rejas commented
Thx for the heads up. Might you be interested in providing a PR for this?
rediris commented
Thx for the heads up. Might you be interested in providing a PR for this?
Just submitted a PR, but it's failing the tests, not quite sure why.
rejas commented
You seem to have branched of from an old master, which will fail since Modenrizr has gotten new tests in the meantime (which customizr tests wont recognize). If you rebase it to the latest master (or merge master into your branch) it should run fine.
rejas commented
Fixed it myself, thanks for the PR and issue.