Cli: [BUG] Yargs-parser dependency package is outdated and contains reported security vulnerability
What / Why
https://github.com/npm/cli/tree/latest/node_modules/yargs-parser
That version of yargs-parser is severely outdated and contains known security vulnerability CVE-2020-7608 (https://github.com/yargs/yargs-parser/commit/63810ca1ae1a24b08293a4d971e70e058c7a41e2). That bug is fixed in yargs-parser versions 18.1.1, 13.1.2, 15.0.1
When
While scanning a nodejs docker image, Aqua security scanner reports that library as outdate with the aforementioned vulnerability
Where
When scanning the latest nodejs 12.18.0 docker image, we get an CVE-2020-7608 in yargs-parser library in npm dependency of nodejs (node-v12.18.0/deps/npm/node_modules/yargs-parser)
How
- n/a
Current Behavior
Fails security scanners because of CVE-2020-7608
Steps to Reproduce
- n/a
Expected Behavior
yargs-parser should be updated to one of the current versions (^18.1.1, ^13.1.2, ^15.0.1)
Who
- n/a
References
- n/a
aleybovich
All 2 comments
Sounds like something to file on yargs - this is npm.
ljharb
on 4 Jun 2020
@ljharb - the yargs-parser issue has been fixed a long time ago, but npm has a two years outdated version of yargs which needs to be updated In npm. A I've mentioned in the description, this is where yargs-parser package is used in npm: https://github.com/npm/cli/tree/latest/node_modules/yargs-parser - it needs to be updated to the latest yargs-parser version.
aleybovich
on 4 Jun 2020
Related issues
darcyclarke
路
3Comments
theADAMJR
路
3Comments
OnkelTem
路
4Comments
darcyclarke
路
4Comments
zypA13510
路
4Comments
Most helpful comment
@ljharb - the yargs-parser issue has been fixed a long time ago, but npm has a two years outdated version of yargs which needs to be updated In npm. A I've mentioned in the description, this is where yargs-parser package is used in npm: https://github.com/npm/cli/tree/latest/node_modules/yargs-parser - it needs to be updated to the latest yargs-parser version.