Remove dependence on outdated minimist #190

hobindar · 2020-05-11T15:54:50Z

Certain versions of minimist have a known security vulnerability and
thus should not be used a dependency. See CVE-2020-7598.

This change removes peerjs' dependence on said versions of minimist.
It does this by replacing its usage of optimist, which is no longer
maintained, with yargs, its spiritual successor. It also updates the
transitive dependencies in package-lock.json as needed.

Resolves #189

Optimist is no longer maintained. It has not been updated since 2014, even for basic security updates. Thus this change replaces it with its spiritual successor, yargs, which is still actively maintained. This is also a first step to removing peerjs' dependence on an outdated version of minimist that has known security vulnerabilities.

This change removes the last bit of dependence on a version of minimist that has a known prototype pollution vulnerability.

afrokick · 2020-05-11T18:14:05Z

Thanks, @hobindar

hobindar added 2 commits May 11, 2020 11:22

Update transitive dependencies on minimist

11dfde9

This change removes the last bit of dependence on a version of minimist that has a known prototype pollution vulnerability.

afrokick merged commit 4009273 into peers:master May 11, 2020

afrokick added this to the 0.5.3 milestone May 11, 2020

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Uh oh!

Remove dependence on outdated minimist #190

Remove dependence on outdated minimist #190

Uh oh!

hobindar commented May 11, 2020

Uh oh!

afrokick commented May 11, 2020

Uh oh!

Uh oh!

Uh oh!

Remove dependence on outdated minimist #190

Remove dependence on outdated minimist #190

Uh oh!

Conversation

hobindar commented May 11, 2020

Uh oh!

afrokick commented May 11, 2020

Uh oh!

Uh oh!