Question: Is this package vulnerable to prototype pollution?

[pastelmind]

Popular argument parsing libraries such as minimist and yargs-parser have been hit by prototype pollution before. Is this library affected as well?

It seems that this is related to the "parse dot options as object" feature, so I suspect the answer is no. However, I'd like to ask just in case.

Also, I see multiple uses of for...in loops in the code. While it would not directly cause prototype pollution, would it be affected by objects that have inherited enumerable properties?

See also:

• https://snyk.io/vuln/SNYK-JS-MINIMIST-559764
• https://snyk.io/vuln/SNYK-JS-YARGSPARSER-560381

[jorgebucaran]

I suspect the answer is no. However, I'd like to ask just in case.

You're correct. Getopts doesn't have anything like minimist's "parse dot options as object" feature, so we're good.

While it would not directly cause prototype pollution, would it be affected by objects that have inherited enumerable properties?

You're also correct.