web icon indicating copy to clipboard operation
web copied to clipboard
verified publisher icon modernweb-dev

Update command-line-usage to ^7.0.3 to resolve @75lb/deep-merge security vulnerability

Open sunilrathore24 opened this issue 2 months ago • 0 comments

Description

@web/[email protected] currently uses command-line-usage@^7.0.1, which has a transitive dependency on a vulnerable version of @75lb/[email protected] (prototype pollution vulnerability).

Current Dependency Chain

@web/[email protected]
└── [email protected]
    └── [email protected]
        └── @75lb/deep-merge@^1.1.1 (VULNERABLE)

Proposed Solution

Update to command-line-usage@^7.0.3 which uses table-layout@^4.1.0 that has removed the vulnerable dependency entirely.

Security Impact

  • Vulnerability: Prototype Pollution in @75lb/[email protected]
  • CVE Reference: https://github.com/75lb/deep-merge/issues/1
  • Current Workaround: Using yarn resolutions to force @75lb/[email protected]

Versions

  • @web/test-runner: 0.20.2
  • command-line-usage current: 7.0.1
  • command-line-usage latest: 7.0.3

sunilrathore24 avatar Nov 07 '25 05:11 sunilrathore24