yargs backport @7.1.2

[yann-achard]

Regarding the following dependency chain: gulp-cli@2.3.0 -> yargs@7.1.1-> y18n@3.2.1

If I understand this correctly (I'm rather new to web dev, so bear with me here) you are only interested in backports.

I see there is a version 7.1.2 of yargs which depends on y18n@5.0.8.
Updating to it would address vulnerability CVE-2020-7774.
Has this version been considered before?

Thanks

[phated]

You likely have a lockfile that is locking you into an old version of yargs. As you can see at https://github.com/gulpjs/gulp-cli/blob/master/package.json#L51, we use ^7.1.0 which means you'll get the latest 7.1.x version if you don't have a lockfile.

So, remove your lockfile or upgrade your packages.