Bump yargs
n-rodriguez opened this issue · 2 comments
yes, I read it and I don't give a f***, there is still a vulnerability and I got a lot of noise from Github in my mailbox (like you I hate spam in my mailbox).
On the top of that yargs 7.1 is 3 years old : https://github.com/yargs/yargs/releases/tag/v7.1.0, IMHO it's time to upgrade.
GHSA-p9pc-299p-vxgp
low severity
Vulnerable versions: < 13.1.2
Patched version: 13.1.2
Affected versions of yargs-parser are vulnerable to prototype pollution. Arguments are not properly sanitized, allowing an attacker to modify the prototype of Object, causing the addition or modification of an existing property that will exist on all objects.
Parsing the argument --foo.proto.bar baz' adds a bar property with value baz to all objects. This is only exploitable if attackers have control over the arguments being passed to yargs-parser.
It's painfully obvious that you don't know how to use your tools, nor participate appropriately in an open source community. As is the proper fix to that issue, we worked with the upstream maintainers of yargs to backport a fix (participate appropriately) as 7.1.1 and you are using an outdated lockfile (don't know how to use your tools).
Your behavior will result in a permanent ban from this project.
I kind of hoped that yargs would be updated as well to the newer version... lots of outdated code.