Create-react-app: yargs-parser are vulnerable to prototype pollution in version 3.4.1
Describe the bug
yargs-parser are vulnerable to prototype pollution in version 3.4.1
Expected behavior
should fix the security issue.
Actual behavior
yargs-parser are vulnerable to prototype pollution in version 3.4.1.
vikramdadwal
All 5 comments
[email protected] doesn't exist.
ianschmitz
on 8 May 2020
@ianschmitz I believe this issue is referring to react-scripts version 3.4.1 not yargs-parser.
-- [email protected]
+-- [email protected]
| -- [email protected]
| -- -- [email protected]
| -- -- -- [email protected]
-- [email protected]
-- -- [email protected]
-- -- -- [email protected]
navidjh
on 9 May 2020
Why was this issue closed if the issue has not been fixed? react-scripts 3.4.1 is still vulnerable and will cause an npm audit to return non-zero:
Low Prototype Pollution
Package yargs-parser
Patched in >=13.1.2 <14.0.0 || >=15.0.1 <16.0.0 || >=18.1.2
Dependency of react-scripts [dev]
Path react-scripts > webpack-dev-server > yargs > yargs-parser
More info https://npmjs.com/advisories/1500
pzelnip
on 12 May 2020
this has been resolved on master but not yet released: https://github.com/facebook/create-react-app/pull/8975
mhassan1
on 13 May 2020
Any sense of when that release will be?
pzelnip
on 13 May 2020
Related issues
dualcnhq
路
3Comments
fson
路
3Comments
wereHamster
路
3Comments
oltsa
路
3Comments
jnachtigall
路
3Comments
Most helpful comment
@ianschmitz I believe this issue is referring to react-scripts version 3.4.1 not yargs-parser.
-- [email protected]
+-- [email protected]
| -- [email protected]
| -- -- [email protected]
| -- -- -- [email protected]
-- [email protected]
-- -- [email protected]
-- -- -- [email protected]