Remove yargs as a dependency due to security concerns

Question

Remove yargs as a dependency due to security concerns

Opened this issue a year ago · 1 comments

Hi, could you please remove yargs as a dependency and use something else instead?

A core dependency of yargs, yargs-parser not only has vulnerabilities in the specific version you use, but seemingly hasn't been updated at all in the last two years, merge requests with additional fixes being ignored. I don't believe yargs should be trusted as a dependency when this is allowed.

Answer 1 · 2024-02-07T12:32:37.000Z

# npm audit report

yargs-parser  6.0.0 - 13.1.1
Severity: moderate
yargs-parser Vulnerable to Prototype Pollution - https://github.com/advisories/GHSA-p9pc-299p-vxgp
No fix available
node_modules/yargs-parser
  yargs  8.0.0-candidate.0 - 12.0.5
  Depends on vulnerable versions of yargs-parser
  node_modules/yargs
    mldoc  *
    Depends on vulnerable versions of yargs
    node_modules/mldoc