Remove `yargs@11` indirect dependency
acuarica opened this issue · comments
One of the solc
compiler versions used for testing, v0.5.5
, depends on "yargs": "^11.0.0
. This indirect dependency is vulnerable to Prototype Pollution https://security.snyk.io/vuln/SNYK-JS-YARGSPARSER-560381. This vulnerability has a moderate severity and it is not actually used. It is used by solc
to parse CLI arguments. So it does not represent a real issue.
However, the best solution would be to skip installing this package to avoid any issue. One solution could be to fork solc@0.5.5
and remove the unnecessary dependency.
Note that https://classic.yarnpkg.com/lang/en/docs/selective-version-resolutions/ is not an option, given that ideally we would like to remove the indirect dependency altogether. And the command yarn patch
is only available in Yarn v2.
solc v0.5.5
removed in ec2b097