Depends on vulnerable package: minimist v0.0.8 and v1.2.0
seanprince opened this issue · 2 comments
Please answer these questions before submitting a bug report.
What version of OpenCensus are you using?
0.0.20
What version of Node are you using?
10.15.1
What did you do?
Run npm install for my application, then run npm ls minimist
What did you expect to see?
opencensus-node should only depend on packages that do not contain vulnerabilities.
What did you see instead?
Here's the dependency graph:
+-- @opencensus/nodejs@0.0.20
| -- @opencensus/instrumentation-all@0.0.20 | -- @opencensus/instrumentation-grpc@0.0.20
| -- grpc@1.24.2 | -- node-pre-gyp@0.14.0
| +-- mkdirp@0.5.1
| | -- minimist@0.0.8 | -- rc@1.2.8
| `-- minimist@1.2.0
Additional context
minimist v0.0.8 and minimist v1.2.0 contain a vulnerability - see https://vuln.whitesourcesoftware.com/vulnerability/CVE-2020-7598/
Yes, that looks like it fixes at least the dependency on minimist 1.2.0. Couldn't see any changes to fix dependency on minimist 0.0.8.