Modernizr/customizr

Customizr dependency optimist is deprecated and should be replaced with yargs to remedy prototype pollution

rediris opened this issue · 4 comments

=== npm audit security report ===


                                 Manual Review
             Some vulnerabilities require your attention to resolve

          Visit https://go.npm.me/audit-guide for additional guidance

  Low             Prototype Pollution
  Package         minimist
  Patched in      >=0.2.1 <1.0.0 || >=1.2.3
  Dependency of   gulp-modernizr [dev]
  Path            gulp-modernizr > customizr > optimist > minimist
  More info       https://npmjs.com/advisories/1179

See: https://www.npmjs.com/advisories/1179

Also see the deprecation notice at the top of: https://www.npmjs.com/package/optimist

rejas commented

Thx for the heads up. Might you be interested in providing a PR for this?

Thx for the heads up. Might you be interested in providing a PR for this?

Just submitted a PR, but it's failing the tests, not quite sure why.

rejas commented

You seem to have branched of from an old master, which will fail since Modenrizr has gotten new tests in the meantime (which customizr tests wont recognize). If you rebase it to the latest master (or merge master into your branch) it should run fine.

rejas commented

Fixed it myself, thanks for the PR and issue.