Stuck on an issue?
Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. ItΒ collects links to all the places you might be looking at while hunting down a tough bug.
And, if youβre still stuck at the end, weβre happy to hop on a call to see how we can help out.
Upgrade yargs to avoid dependency issue
See original GitHub issueIβm a maintainer of cucumber-js as we use this tool and recently were alerted of the following issue with a dependency of nyc:
$ yarn audit
yarn audit v1.22.10
βββββββββββββββββ¬βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β high β Prototype Pollution β
βββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β Package β y18n β
βββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β Patched in β >=5.0.5||>=4.0.1 <5.0.0||>=3.2.2 <4.0.0 β
βββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β Dependency of β nyc β
βββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β Path β nyc > yargs > y18n β
βββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β More info β https://www.npmjs.com/advisories/1654 β
βββββββββββββββββ΄βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
1 vulnerabilities found - Packages audited: 732
Severity: 1 High
β¨ Done in 0.89s.
It appears yargs has fixed their dependency requirement in version 16.2.0: https://github.com/yargs/yargs/commit/ae001f34c968e8f4cda2a832d85b114753f4dee0
Issue Analytics
- State:
- Created 2 years ago
- Reactions:5
- Comments:5 (2 by maintainers)
Top Results From Across the Web
Please update to yargs β₯ 17 Β· Issue #4809 Β· mochajs/mocha
We are careful with updating Yargs, it's a key dependency and there must be a good reason to do a major version bump....
Read more >Fixing security vulnerabilities in npm dependencies in less ...
Solution. Solution to this problem is in steps:- npm update. This is the first thing you should do and it's the simplest one...
Read more >Update console dependency for yargs-parser to avoid security ...
A new security vulnerability was identified with the released version of yargs-parser. The dependency path is react-scriptsΒ ...
Read more >Multiple problems trying to update with unmet dependencies ...
Multiple problems trying to update with unmet dependencies and packages ... node-xtend node-y18n node-yallist node-yargs node-yargs-parserΒ ...
Read more >Additional documentation - yargs - JS.ORG
When the option is used with a positional, use -- to tell yargs to stop adding values to the array. For example: --foo...
Read more >
Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free
Top Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
yargs pulls y18n using semver range which allows a non-vulnerable version. This is not a bug in nyc, the problem is your lockfile. The sure fire way to resolve your lockfile is to delete it and reinstall to generate a new one.
yargs 16+ drops support for versions of node which nyc supports. yargs will not be upgraded until nyc 16 which does not yet have an ETA. nyc 16 will be a major release dropping old versions of node and upgrading to babel 8 (which is not yet available).