Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Minimist vulnerability CVE-2021-44906 #214

Open
anirudhb-sf opened this issue Mar 22, 2022 · 1 comment · May be fixed by #215
Open

Minimist vulnerability CVE-2021-44906 #214

anirudhb-sf opened this issue Mar 22, 2022 · 1 comment · May be fixed by #215

Comments

@anirudhb-sf
Copy link

anirudhb-sf commented Mar 22, 2022

  • Operating System: Mac OS
  • Node Version: v16.13.0
  • NPM Version: 6.14.16
  • csv-parser Version: 3.0.0

Expected Behavior / Situation

N/A

Actual Behavior / Situation

minimist: v1.2.5 brings in a security vulnerability which is currently has no fix. The following dependency chain makes csv-parser a vulnerable package: csv-parser@3.0.0 › minimist@1.2.5.

Modification Proposal

Request for a security fix to make csv-parser package free from security vulnerabilities. We may shift to using minimist-lite as suggested here / eliminate the usage of minimist by providing a implementation to parse command line args

@anirudhb-sf anirudhb-sf linked a pull request Mar 22, 2022 that will close this issue
8 tasks
@sfwhite
Copy link

sfwhite commented Mar 29, 2022

@mafintosh and @TrySound this is a fairly important one.

We're getting nicked on our corporate security scans, and we don't particularly want to refactor all of our projects to use a different lib, as this one is well made and that's a lot of tech debt to take on.

PR #215 eliminates the dependency entirely, PR #216 upgrades the existing dependency.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging a pull request may close this issue.

2 participants