Skip to content
This repository has been archived by the owner on Jul 24, 2024. It is now read-only.

High severity vulnerability detected in yargs #3021

Closed
harolrodriguez opened this issue Nov 3, 2020 · 5 comments
Closed

High severity vulnerability detected in yargs #3021

harolrodriguez opened this issue Nov 3, 2020 · 5 comments

Comments

@harolrodriguez
Copy link

A security assessment was performed and vulnerabilities were found to dependency sane

It is requested to update from version " y18n": "^4.0.0" to " y18n": "^5.0.5"

reference:
yargs/y18n#107
yargs/y18n#108

@harolrodriguez harolrodriguez changed the title High severity vulnerability detected in sane dependencies High severity vulnerability detected in yargs Nov 4, 2020
@nschonni
Copy link
Contributor

nschonni commented Nov 5, 2020

Thanks, I took a look at the package-lock.json after a fresh install and found that y18n is only a dependency for yargs, which in turn is only a dev dependency except for sass-graph's CLI (which we don't interact with).

Also, not seeing anything from npm audit

@nschonni nschonni closed this as completed Nov 5, 2020
@AlAyoub
Copy link

AlAyoub commented Nov 14, 2020

@nschonni The scanner is still showing y18n as a vulnerability. How did you exclude yargs? I am unable to exclude yargs since node-sass is in my dependencies and node-sass is pulling in yargs.

@nschonni
Copy link
Contributor

I'm still not seeing anything installing locally, you should bring this up with whatever scanning tool vendor you're using

@AlAyoub
Copy link

AlAyoub commented Nov 14, 2020

@nschonni what version of node-sass are you using? Also, what version of node are you using?

@mfranzke
Copy link

mfranzke commented Mar 19, 2021

The tool whitesource is actually reporting y18n related to node-sass - I sadly cannot share an online result, as this is being reported within our internal installation of that tool.

But I actually do see a direct relation out of dependencies (not devDependencies) within the tree, compare to e.g.
https://npm.broofa.com/?q=node-sass

sass-graph reference: https://github.com/sass/node-sass/blob/v4.14.1/package.json#L70
-> yargs reference: https://github.com/xzyfer/sass-graph/blob/v2.2.5/package.json#L24
-> y18n reference: https://github.com/yargs/yargs/blob/v14.0.0/package.json#L31 (13.3.2 not available as a git tag)

[email protected] vulnerability description: https://snyk.io/test/npm/y18n/4.0.0

Nevertheless it would need to be sass-graph obviously first of all in need to upgrade yargs: xzyfer/sass-graph#114

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

No branches or pull requests

4 participants