Update yargs-parser dependency
See original GitHub issueEnvironment Information
- Lighthouse version: 5.6.0
Hi, I’m trying to resolve some npm vulnerabilities gotten from npm audit
on my project and there are some that are coming from this package.
Low Prototype Pollution
Package minimist
Patched in >=0.2.1 <1.0.0 || >=1.2.3
Dependency of lighthouse
Path lighthouse > chrome-launcher > mkdirp > minimist
More info https://npmjs.com/advisories/1179
Low Prototype Pollution
Package minimist
Patched in >=0.2.1 <1.0.0 || >=1.2.3
Dependency of lighthouse
Path lighthouse > mkdirp > minimist
More info https://npmjs.com/advisories/1179
Low Prototype Pollution
Package yargs-parser
Patched in >=13.1.2 <14.0.0 || >=15.0.1 <16.0.0 || >=18.1.2
Dependency of lighthouse
Path lighthouse > yargs-parser
More info https://npmjs.com/advisories/1500
I’ve been looking and your dependency tree and it seems like you are locked into the yargs-parser
version, you use a legacy version of mkdirp
and chrome-launcher
seems to use this same version. I want to remove this vulnerabilities but I don’t want to update this packages and have them break your usages. What is your guidance to fix this issue?
Issue Analytics
- State:
- Created 3 years ago
- Comments:7
Top Results From Across the Web
yargs-parser - npm
Start using yargs-parser in your project by running `npm i yargs-parser`. There are 2455 other projects in the npm registry using yargs-parser.
Read more >Update console dependency for yargs-parser to avoid security ...
A new security vulnerability was identified with the released version of yargs-parser. The dependency path is react-scripts ...
Read more >yargs-parser@5.0.0 - Snyk Vulnerability Database
Learn more about known yargs-parser 5.0.0 vulnerabilities and licenses ... This does not include vulnerabilities belonging to this package's dependencies.
Read more >Fixing security vulnerabilities in npm dependencies in less ...
That solves the dependency issues which can not be updated using either npm update or by uninstalling and reinstalling a new dependency.
Read more >yargs
Yargs be a node.js library fer hearties tryin' ter parse optstrings. What's Yargs? Yargs helps you build interactive command line tools by parsing...
Read more >Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start FreeTop Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
Top GitHub Comments
How to update yargs-parser to the latest version??
@Ajayyy18 #10723 does this, there’s nothing for you to do on your end.