-
Notifications
You must be signed in to change notification settings - Fork 280
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
vulnerability CVE-2020-7598 is introduced by package minimist #1961
Comments
Thanks @ayaka-kms for bringing this up! I vaguely remember pushing some changes in Dredd so that we could replace optimist, e.g. with yargs. It's been a few years though and I'm not actively participating on Dredd anymore, so I can't say how much is missing now. That said, the CVE you mention is something quite unlikely to affect Dredd users, given the nature of how optimist is used and how Dredd is typically being executed. Correct me if I'm wrong and there is a real attack vector, which could actually cause damage. |
Hi, @honzajavorek @artem-zakharchenko, a vulnerability CVE-2020-7598 is introduced in ● [email protected] via:
● [email protected] ➔ [email protected] ➔ [email protected]
However, optimist is a legacy package, which has not been maintained for about 8 years.
Is it possible to migrate optimist to other package to remediate this vulnerability?
I noticed several migration records in other js repo for dredd:
Thanks.
The text was updated successfully, but these errors were encountered: