Replace optimist or otherwise avoid its vulnerabilitySee original GitHub issue
optimist depends on a vulnerable version of
minimist (see https://npmjs.com/advisories/1179).
Despite having an issue and PR filed with
optimist, since the last commit on optimist was 6 years ago, and since the package is deprecated (and it has also been awaiting a fix for a proper license specifier, making automated license audits problematic in the interim), it’d be really nice if you could drop the
optimist dependency, perhaps using one of its suggested replacements (yargs, nomnom, or using
minimist directly, though if the latter, I’d hope pegging against the maintained major bump).
(I personally like
command-line-args, as one can use it with
command-line-usage or my
command-line-basics tools to get documentation (both at the command line and as SVG, allowing embedding in a README) from a simple declarative schema.)
- Created 3 years ago
Top GitHub Comments
@debrice: Yes, thank you, but not every project is using Yarn.