Vulnerability in dependency Minimist

[jschaefer77]

Describe the bug

Our Vulnerability scanner found the following:

Minimist <=1.2.5 is vulnerable to Prototype Pollution via file index.js, function setKey() (lines 69-95). This vulnerability exists in a transitive dependency.

We recommend upgrading the vulnerable package minimist to version 1.2.6.

Environment (remove any that are not applicable):

• Library version: 7.5.13

[Nezteb]

More details:

❯ yarn why minimist
yarn why v1.22.15
[1/4] 🤔  Why do we have the module "minimist"...?
[2/4] 🚚  Initialising dependency graph...
[3/4] 🔍  Finding dependency...
[4/4] 🚡  Calculating file sizes...
=> Found "[email protected]"
info Has been hoisted to "minimist"
info Reasons this module exists
   - "workspace-aggregator-6f1908b9-4af4-407e-896a-a4482a22b06d" depends on it
   - Hoisted from "_project_#meow#minimist"
   - Hoisted from "_project_#mkdirp#minimist"
   - Hoisted from "_project_#cypress#minimist"
   - Hoisted from "_project_#jest-haste-map#sane#minimist"
   - Hoisted from "_project_#registry-auth-token#rc#minimist"
   - Hoisted from "_project_#eslint-plugin-import#tsconfig-paths#minimist"
   - Hoisted from "_project_#start-server-and-test#wait-on#minimist"
   - Hoisted from "_project_#jest-haste-map#sane#@cnakazawa#watch#minimist"
   - Hoisted from "_project_#eslint-plugin-import#tsconfig-paths#json5#minimist"
   - Hoisted from "_project_#@stoplight#elements-core#@stoplight#scripts#cz-conventional-changelog#commitizen#minimist"
   - Hoisted from "_project_#@stoplight#elements-core#resolve-url-loader#loader-utils#json5#minimist"
   - Hoisted from "_project_#@storybook#addon-postcss#css-loader#loader-utils#json5#minimist"
   - Hoisted from "_project_#@storybook#react#webpack#loader-utils#json5#minimist"
   - Hoisted from "_project_#lerna#@lerna#create#@lerna#child-process#strong-log-transformer#minimist"
   - Hoisted from "_project_#@storybook#addon-docs#@storybook#builder-webpack4#css-loader#loader-utils#json5#minimist"
   - Hoisted from "_project_#@storybook#builder-webpack5#@storybook#core-common#webpack#loader-utils#json5#minimist"
   - Hoisted from "_project_#@stoplight#elements-core#@stoplight#scripts#@semantic-release#release-notes-generator#conventional-changelog-writer#handlebars#minimist"
   - Hoisted from "_project_#lerna#@lerna#version#@lerna#conventional-commits#conventional-changelog-core#get-pkg-repo#meow#minimist"
   - Hoisted from "_project_#@storybook#addon-docs#@storybook#core#@storybook#core-server#webpack#loader-utils#json5#minimist"
   - Hoisted from "_project_#@storybook#addon-docs#@storybook#core#@storybook#core-server#@storybook#manager-webpack4#css-loader#loader-utils#json5#minimist"
info Disk size without dependencies: "104KB"
info Disk size with unique dependencies: "104KB"
info Disk size with transitive dependencies: "104KB"
info Number of shared dependencies: 0
=> Found "commitizen#[email protected]"
info This module exists because "_project_#@stoplight#elements-core#@stoplight#scripts#commitizen" depends on it.
info Disk size without dependencies: "96KB"
info Disk size with unique dependencies: "96KB"
info Disk size with transitive dependencies: "96KB"
info Number of shared dependencies: 0
=> Found "optimist#[email protected]"
info This module exists because "_project_#@stoplight#elements#@stoplight#http-spec#json-schema-generator#optimist" depends on it.
info Disk size without dependencies: "80KB"
info Disk size with unique dependencies: "80KB"
info Disk size with transitive dependencies: "80KB"
info Number of shared dependencies: 0
✨  Done in 1.23s.

[raleigh04]

minimist is currently at 1.2.6.