osmtogeojson icon indicating copy to clipboard operation
osmtogeojson copied to clipboard

Published 20 hours ago verified publisher icon tyrasd

Security alert in minimist

Open tahini opened this issue 2 years ago • 1 comments

In our project's security dependabot alerts, we have a critical alert that we can trace back to this package:

Prototype Pollution in minimist

The latest possible version of minimist that can be installed is 0.0.5.

The earliest fixed version is 1.2.6

We use osmtogeojson 3.0.0-beta.4, which depends on @mapbox/geojson-rewind @0.4.0, which itself has a dependencies to minimist 1.2.0 and sharkdown ^0.1.0, which depends on minimist 0.0.5.

If this plugin could depend on ^0.4.0 instead of 0.4.0, the dependency alert could probably be fixed.

tahini avatar Jun 06 '22 15:06 tahini

Fixed in 3.0.0-beta.5

vavsab avatar Oct 18 '22 16:10 vavsab