Using sharkdown which uses minimist with a CVE
daveisfera opened this issue · comments
Duplicate of #25.
@asheemmamoowala: This might not have been an exact duplicate. #25 does fix the version of minimist used directly by geojson-rewind. However, geojson-rewind's dependency on sharkdown still introduces a nested dependency on minimist 0.0.5, which has the security alert on it: https://github.com/tmcw-up-for-adoption/sharkdown/blob/v0.1.1/package.json#L14 So this means that geojson-rewind will still produce security alerts due to this nested dependency. Here's a result of npm/yarn audit:
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ low │ Prototype Pollution │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ minimist │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >=0.2.1 <1.0.0 || >=1.2.3 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ mapbox-gl │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ mapbox-gl > @mapbox/geojson-rewind > sharkdown > minimist │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://www.npmjs.com/advisories/1179 │
└───────────────┴──────────────────────────────────────────────────────────────┘
Fixed in #28.