Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Fix: Upgrade yargs to ^16.0.0

See original GitHub issue

Hi,

There is a patch to a high severity vulnerability available for yargs. Can you please update to version ^16.0.0 or so? It would resolve CVE-2020-7774.

https://snyk.io/test/npm/yargs/15.3.1

Thank you in advance!

Issue Analytics

State:
Created 3 years ago
Comments:8 (3 by maintainers)

Top GitHub Comments

1reaction

arielperez82commented, Nov 30, 2020

Good callout Jamie.

On Mon, Nov 30, 2020 at 8:42 PM Jamie Peabody notifications@github.com wrote:

Note that this PR should be a breaking change. Previously, copyfiles would work on node 8.x as it was using yargs 15.3.1, which was using engines >= 8 https://github.com/yargs/yargs/blob/v15.3.1/package.json#L75. Now, copyfiles uses yargs 16.1.0, using engines >= 10 https://github.com/yargs/yargs/blob/v16.1.0/package.json#L117.

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/calvinmetcalf/copyfiles/issues/96#issuecomment-736030926, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAUTXIS2EWD6WJ52PMRCJILSSP7TVANCNFSM4T7432ZQ .

0reactions

wickedestcommented, Nov 30, 2020

Note that this change should be a breaking change. Previously, copyfiles would work on node 8.x as it was using yargs 15.3.1, which was using engines >= 8. Now, copyfiles uses yargs 16.1.0, using engines >= 10.

Top Results From Across the Web

Upgrade yargs to 16.0.0 to fix prototype pollution high ... - GitHub

Bug Report I am unable to use react-scripts@4.0.1 for work due to a high vulnerability security issue with jest@26.6.3 pulling in ...

yargs | Yarn - Package Manager

Fast, reliable, and secure dependency management.

yargs-parser vulnerabilities | Snyk

version published direct vulnerabilities 21.1.1 4 Aug, 2022 0. C. 0. H. 0. M. 0. L 21.1.0 3 Aug, 2022 0. C. 0. H. 0....

CHANGELOG.md | yargs@v16.1.0-deno

16.0.0 (2020-09-09). ⚠ BREAKING CHANGES. tweaks to ESM/Deno API surface: now exports yargs function by default; getProcessArgvWithoutBin becomes hideBin; ...

npm audit fix --force is not fixing any problems

Also no success. npm is at version 7.12.1 npm audit fix does not do a damn ... yargs-parser <=13.1.1 || 14.0.0 - 15.0.0...