yargs-unparser audit warning

Question

yargs-unparser audit warning

joebowbeerxealth opened this issue 3 years ago · comments

npm audit is complaining about ansi-regex@4.1.0 via yargs-unparser@1.6.4

https://snyk.io/test/npm/npm-audit-resolver/2.3.1

Remediation: Upgrade to yargs-unparser@2.0.0

Workaround: Make sure npm-audit-resolver is installed as a devDependency and pass --production option to the audit checker.

Zbyszek Tenerowicz · Answer 1 · Thu Oct 28 2021 19:51:44 GMT+0800 (China Standard Time)

I've been working on the future version for a while and latest tag in npm didn't get updates. Should probably release the npm7+ support now, but it's still missing a feature it used to have.

Joe Bowbeer · Answer 2 · Wed Jan 12 2022 16:02:06 GMT+0800 (China Standard Time)

The npm7-dev branch currently depends on yargs-unparser@1.6.4, too, which is pulling in a bad ansi-regex

https://nvd.nist.gov/vuln/detail/CVE-2021-3807

Zbyszek Tenerowicz · Answer 3 · Wed Jan 12 2022 17:47:26 GMT+0800 (China Standard Time)

@joebowbeer If you PR this, I'll merge and publish by the end of the week

Joe Bowbeer · Answer 4 · Fri Jan 14 2022 08:32:23 GMT+0800 (China Standard Time)

@naugtur see #53

Zbyszek Tenerowicz · Answer 5 · Mon Jan 17 2022 01:08:30 GMT+0800 (China Standard Time)

released as 3.0.0-5