-
Notifications
You must be signed in to change notification settings - Fork 279
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Package dependency triggers NPM advisory (1179) #1898
Comments
FYI, it looks like optimist is deprecated (no new versions in 7 years) with a recommendation to use minimist instead. |
@abtris or another maintainer... looking for some guidance here. It appears optimist is used as the command line parser for this projects CLI, would you be open to a pull request where that is swapped out for a more current package (such as yargs, minimist, etc.)? Seems like swapping that out is the best way to get rid of this security alert for good. If not, any other suggestions? |
I see in Dependabot:
|
@opichals @kuba-kubula any advise on this? |
I did some prior analysis in #1695 (comment) with suggestion on how to proceed. Looks like yargs as a replacement might be a bit problematic due to licensing (although this may have changed). Last I checked minimist shouldn't be much of a problem, and it's already in the dependency tree albeit an older version. |
Describe the bug
npm audit
triggers an advisory from a tertiary dependency.To Reproduce
Run
npm audit
and observe vulnerability ID is listedExpected behavior
npm audit
should not list any vulnerabilities tied to this package (or it's dependencies)What is in your
dredd.yml
?N/A
What's your
dredd --version
output?N/A
Does
dredd --loglevel=debug
uncover something?N/A
Can you send us failing test in a Pull Request?
N/A
The text was updated successfully, but these errors were encountered: