NPM flags 3 moderate severity vulnerabilities upon install

Question

NPM flags 3 moderate severity vulnerabilities upon install

Closed this issue 2 years ago · 3 comments

Yaaaarg! Apologies if this is a repost, but I continue to see yargs-parser vulnerabilities in so many packages including this one. npm audit fix suggests installing sharp-cli version 1.3.0, which seems like an extreme rollback solution...

# npm audit report

yargs-parser  6.0.0 - 13.1.1
Severity: moderate
yargs-parser Vulnerable to Prototype Pollution - https://github.com/advisories/GHSA-p9pc-299p-vxgp
fix available via `npm audit fix --force`
Will install sharp-cli@1.3.0, which is a breaking change
node_modules/sharp-cli/node_modules/yargs-parser
  yargs  8.0.0-candidate.0 - 12.0.5
  Depends on vulnerable versions of yargs-parser
  node_modules/sharp-cli/node_modules/yargs
    sharp-cli  >=1.4.0
    Depends on vulnerable versions of yargs
    node_modules/sharp-cli

3 moderate severity vulnerabilities

Answer 1 · 2022-11-27T01:33:40.000Z

Not only NPM but also the github security tab and dependabot are nagging about this

Answer 2 · 2022-12-09T01:19:07.000Z

Yep, it's because the yargs dependency is horribly outdated, and I haven't taken the time to thoroughly update the CLI (which is required because yargs is the most fundamental dependency).

I'm currently working through updating the different commands, so hoping to get a new version out soon.

Answer 3 · 2022-12-10T00:48:07.000Z

Fixed in v4.0.0, now available.