sinedied/hads

vulnerability CVE-2020-7598 is introduced by package minimist

Closed this issue · 3 comments

ayaka-kms commented

Hi, a vulnerability CVE-2020-7598 is introduced in hads@3.0.0 via:
● hads@3.0.0 ➔ optimist@0.6.1 ➔ minimist@0.0.10

However, optimist is a legacy package, which has not been maintained for about 8 years.
Is it possible to migrate optimist to other package to remediate this vulnerability?

I noticed several migration records in other js repo for optimist:

  1. in handlebars, version 4.7.3-->4.7.4, migrate optimist to yargs via commit
  2. in db-migrate, version 1.0.0-beta.2-->1.0.0-beta.3, migrate optimist to yargs via commit
  3. in http-server, version 0.12.1-->0.12.2, deprecated optimist and directly use minimist via commit

Thanks.

sinedied commented

You're completely right, in most of my other projects I use minimist directly so I've failed to notice. I would be fine with migrating to either minimist or yargs, both are solid choices.

ayaka-kms commented

@sinedied Thanks for your answer.

sinedied commented

🎉 This issue has been resolved in version 3.0.1 🎉

The release is available on:

Your semantic-release bot 📦🚀