Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Update yargs-parser dependency

See original GitHub issue

Environment Information

  • Lighthouse version: 5.6.0

Hi, I’m trying to resolve some npm vulnerabilities gotten from npm audit on my project and there are some that are coming from this package.

 Low             Prototype Pollution

  Package         minimist

  Patched in      >=0.2.1 <1.0.0 || >=1.2.3

  Dependency of   lighthouse

  Path            lighthouse > chrome-launcher > mkdirp > minimist

  More info       https://npmjs.com/advisories/1179


  Low             Prototype Pollution

  Package         minimist

  Patched in      >=0.2.1 <1.0.0 || >=1.2.3

  Dependency of   lighthouse

  Path            lighthouse > mkdirp > minimist

  More info       https://npmjs.com/advisories/1179


  Low             Prototype Pollution

  Package         yargs-parser

  Patched in      >=13.1.2 <14.0.0 || >=15.0.1 <16.0.0 || >=18.1.2

  Dependency of   lighthouse

  Path            lighthouse > yargs-parser

  More info       https://npmjs.com/advisories/1500

I’ve been looking and your dependency tree and it seems like you are locked into the yargs-parser version, you use a legacy version of mkdirp and chrome-launcher seems to use this same version. I want to remove this vulnerabilities but I don’t want to update this packages and have them break your usages. What is your guidance to fix this issue?

Issue Analytics

  • State:closed
  • Created 3 years ago
  • Comments:7

github_iconTop GitHub Comments

1reaction
Ajay-Kamathcommented, May 11, 2020

You are right, I messed up, the lighthouse version I use is 5.6.0 the yargs-parser was the one that was 7.0.0 but needed to be updated. My bad.

How to update yargs-parser to the latest version??

0reactions
patrickhulcecommented, May 11, 2020

@Ajayyy18 #10723 does this, there’s nothing for you to do on your end.

Read more comments on GitHub >

github_iconTop Results From Across the Web

yargs-parser - npm
Start using yargs-parser in your project by running `npm i yargs-parser`. There are 2455 other projects in the npm registry using yargs-parser.
Read more >
Update console dependency for yargs-parser to avoid security ...
A new security vulnerability was identified with the released version of yargs-parser. The dependency path is react-scripts ...
Read more >
yargs-parser@5.0.0 - Snyk Vulnerability Database
Learn more about known yargs-parser 5.0.0 vulnerabilities and licenses ... This does not include vulnerabilities belonging to this package's dependencies.
Read more >
Fixing security vulnerabilities in npm dependencies in less ...
That solves the dependency issues which can not be updated using either npm update or by uninstalling and reinstalling a new dependency.
Read more >
yargs
Yargs be a node.js library fer hearties tryin' ter parse optstrings. What's Yargs? Yargs helps you build interactive command line tools by parsing...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

Chrome crashes during run

Next page

Long tasks in the report