vulnerability in Optimist #674
Comments
|
Is this something to be afraid of, if db-migrate is used only in as a dev dependency? |
|
Depends how the code is packaged for deployment. We build a code package that is then pushed to production. db-migrate is then ran as part of the start up script for the application. This will only work when it's installed as a production dependency. |
|
Furthermore optimist is deprecated: https://github.com/substack/node-optimist#deprecation-notice We should update this library to use one of the recommended other packages... |
|
agreeing, I thought about replacing it anyways already. so either an alternative like in this effort here #675 or replace it with commander |
|
For reference, there is an open PR for replacing optimist with yargs (see #679). A similar approach was used to resolve vulnerabilities in Handlebars (see handlebars-lang/handlebars.js#1666). |
Optimist inherits a vulnerability from a older version of minimist. This causes npm audit to fail. Because optimist is no longer being maintained i think the best solution would be to use minimist directly.
Solution
Use minimist directly and bypass the need for optimist
The text was updated successfully, but these errors were encountered: