typed-cli
typed-cli copied to clipboard
int0h
yargs-parser security update
npm audit is now complaining about a security advisory in the 14.0.0 version of yargs-parser... seems like the fix is to upgrade to >= 15.0.1: https://github.com/advisories/GHSA-p9pc-299p-vxgp
BREAKING CHANGES
rework collect-unknown-options into unknown-options-as-args, providing more comprehensive functionality
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate │ Prototype Pollution in yargs-parser │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ yargs-parser │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >=15.0.1 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ typed-cli │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ typed-cli > yargs-parser │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://github.com/advisories/GHSA-p9pc-299p-vxgp │
└───────────────┴──────────────────────────────────────────────────────────────┘
@jamie-pate can you provide full steps to reproduce this output?
My npm audit tells about some other moderate stuff.
From what I can tell typed-cli depends on 20+ version of yargs-parser:
https://github.com/int0h/typed-cli/blob/master/package.json#L30
If you want you can try to upgrade the deps yourself and submit a PR. If it's going to be only deps update and it passes the tests I'll merge it.
