yargs-parser are vulnerable to prototype pollution in version 3.4.1 #8970

Closed

Closed

yargs-parser are vulnerable to prototype pollution in version 3.4.1#8970

Labels

issue: bug reportneeds triage

Describe the bug

yargs-parser are vulnerable to prototype pollution in version 3.4.1

Expected behavior

should fix the security issue.

Actual behavior

yargs-parser are vulnerable to prototype pollution in version 3.4.1.

added

issue: bug report

Contributor

yargs-parser@3.4.1 doesn't exist.

closed this as completed

@ianschmitz I believe this issue is referring to react-scripts version 3.4.1 not yargs-parser.

-- react-scripts@3.4.1
+-- jest@24.9.0
| -- jest-cli@24.9.0
| -- -- yargs@13.3.2
| -- -- -- yargs-parser@13.1.2
-- webpack-dev-server@3.10.3
-- -- yargs@12.0.5
-- -- -- yargs-parser@11.1.1

Why was this issue closed if the issue has not been fixed? react-scripts 3.4.1 is still vulnerable and will cause an npm audit to return non-zero:

Low Prototype Pollution 

Package yargs-parser 

Patched in >=13.1.2 <14.0.0 || >=15.0.1 <16.0.0 || >=18.1.2 

Dependency of react-scripts [dev] 

Path react-scripts > webpack-dev-server > yargs > yargs-parser 

More info https://npmjs.com/advisories/1500

Contributor

this has been resolved on master but not yet released: #8975

Any sense of when that release will be?

locked and limited conversation to collaborators

on May 20, 2020

to join this conversation on GitHub. Already have an account? Sign in to comment

Metadata

Assignees

No one assigned

Labels

issue: bug reportneeds triage

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Participants