tsconfig-paths icon indicating copy to clipboard operation
tsconfig-paths copied to clipboard

Published 20 hours ago verified publisher icon dividab

Minimist vulnerability CVE-2021-44906

Open IronGeek opened this issue 2 years ago • 4 comments

Please bump tsconfig-paths dependencies.

minimist <=v1.2.5 brings in security vulnerability which affect all packages that depends on tsconfig-paths, including the json5 package also used in this package.

json5 already addresses this minimist issue in their latest version v2.2.1. As for minimist it self, based on discussion here a migration to an alternative package or other up-to-date fork maybe needed.

IronGeek avatar Mar 22 '22 02:03 IronGeek

minimist has released new version to address the security issue. So I guess the only thing left todo is just bumping the minimist version in tsconfig-paths to v1.2.6

IronGeek avatar Mar 22 '22 04:03 IronGeek

this issue is already fixed by https://github.com/dividab/tsconfig-paths/pull/197

F3n67u avatar Mar 25 '22 05:03 F3n67u

I am waiting on the the [email protected] dependency to be updated. As the original comment says, the latest json5 version is v2.2.1

If there is a work-around please do let me know.

jon-shipley avatar Apr 20 '22 15:04 jon-shipley

@F3n67u it seems that the issue did not actually got fixed by #197 Upon checking npm ls json5, the [email protected] is still depending on [email protected]

image

lightzane avatar Apr 28 '22 17:04 lightzane

I'm closing this since all the problematic dependencies have been updated in v4. Related PR: #197, #198

IronGeek avatar Sep 03 '22 17:09 IronGeek