High severity vulnerability detected in dependencies

[kamalyzl]

A security assessment was performed and vulnerabilities were found to dependency sane

It is requested to update from version in package-lock.json " y18n": "^4.0.0" to " y18n": "^5.0.5"

reference:

https://github.com/yargs/y18n/pull/109

[SymbioticKilla]

Is this project dead? Last commits: @isaacs @claudiahdz

[andressantiago]

NextJS 10 is pulling in cacache 12.x and we would appreciate either an upgrade to y18n (5.0.5) or a removal in a 12.x patch.

next 10 -> webpack 4.x: https://github.com/vercel/next.js/blob/canary/packages/next/package.json#L107

webpack 4.x -> terser-webpack-plugin 1.4.x: https://github.com/webpack/webpack/blob/v4.44.1/package.json#L28

terser-webpack-plugin 1.4.x -> cacache 12.x: https://github.com/webpack-contrib/terser-webpack-plugin/blob/v1.4.5/package.json#L40

I recognize that cacache 15 (latest) no longer uses this library, but popular libraries (on their latest versions) are going to pull in cacache 12.

Would appreciate a heads up if a patch to cacache 12.x is not in the cards so I can go up the chain of libraries pulling this in and see if they can upgrade to a later version of cacache.

Thanks ahead of time!

[SymbioticKilla]

@andressantiago y18n 4.0.1 has the patch: https://nvd.nist.gov/vuln/detail/CVE-2020-7774

[andressantiago]

@andressantiago y18n 4.0.1 has the patch: https://nvd.nist.gov/vuln/detail/CVE-2020-7774

Did not see they had a version 4.0.1, it's not tagged on their repo :( Thank you so much for pointing this out!

[cujarrett]

npm outlines a as of Mar 29th, 2021

y18n before versions 3.2.2, 4.0.1, and 5.0.5 is vulnerable to prototype pollution.

CVE-2020-7774