Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Yargs dependency leads to vulnerable mem package

See original GitHub issue

The current "yargs": "^11.0.0" dependency has in turn a dependency on "os-locale": "^2.0.0", which in turn is dependent on "mem": "^1.1.0" which is vulnerable.

It seems that the only wayout is: bump the version of "yargs" to at least 12.0.0 but 13 is better.

Many thanks for adopting the stale mocha-webpack, by the way.

Issue Analytics

State:
Created 4 years ago
Comments:5 (4 by maintainers)

Top GitHub Comments

1reaction

larixercommented, Jul 16, 2019

Okay, no worries 😃 I’ll handle this

0reactions

larixercommented, Jul 16, 2019

@dirkroorda Done, published mochapack@1.1.2

Top Results From Across the Web

Medium severity vulnerability in mem (sub-dependency included ...

Running snyk test on yargs v12.0.1 (latest release on npm) results in: ✗ Medium severity vulnerability found in mem Description: Denial of Service...

Yargs npm - Vulnerabilities & Security Analysis - Snyk

Affected versions of this package are vulnerable to Regular expression Denial of Service (ReDoS). It uses regex in the underscore and unescapeHTML methods, ......

yargs-parser Vulnerable to Prototype Pollution - Vulners

Affected versions of yargs-parser are vulnerable to prototype pollution. Arguments are not properly sanitized, allowing an attacker to modify the prototype ...

yarn test fails with jasmine-ts yargs dependency - Stack Overflow

package.json "resolutions": { "yargs": "^13.3.2" }. yargs could be a sub-dependency of some other module as well in your project, ...

better-npm-audit - npm

Made to allow skipping certain vulnerabilities, and any extra ... Denial of Service Package minimatch Patched in >=3.0.2 Dependency of ...