opencollective dependency is end-of-life and transitively depends on vulnerable versions of minimist
rjgotten opened this issue · 0 comments
Describe the bug
Current versions of the react-reactive-form package depend on opencollective@1.0.3
This package is end-of-life -- will not see further updates, yet transitively depends on versions of the the minimist package that are vulnerable to two cases of prototype pollution. By extension this leaves consumers of the react-reactive-form package with a vulnerable version of minimist in their tree.
To Reproduce
- Install the
react-reactive-formpackage. - Run
npm audit.
Expected behavior
No security vulnerabilities in the package tree by removing the dependency on opencollective.
(Note also that OpenCollective itself actively discourages continued use of their old solutions that hang off of postinstall scripts. They encourage using the built-in npm fund functionality instead.)