Comments (5)
FYI, it looks like optimist is deprecated (no new versions in 7 years) with a recommendation to use minimist instead.
from dredd.
@abtris or another maintainer... looking for some guidance here. It appears optimist is used as the command line parser for this projects CLI, would you be open to a pull request where that is swapped out for a more current package (such as yargs, minimist, etc.)? Seems like swapping that out is the best way to get rid of this security alert for good. If not, any other suggestions?
from dredd.
I see in Dependabot:
Dependabot cannot update minimist to a non-vulnerable version
The latest possible version that can be installed is 0.0.10 because of the following conflicting dependencies:
[email protected] requires minimist@^1.2.5 via a transitive dependency on [email protected]
[email protected] requires minimist@^1.2.0 via a transitive dependency on [email protected]
[email protected] requires minimist@^1.2.5 via a transitive dependency on [email protected]
[email protected] requires minimist@^1.1.3 via a transitive dependency on [email protected]
[email protected] requires minimist@^1.1.3 via a transitive dependency on [email protected]
The earliest fixed version is 0.2.1.
from dredd.
@opichals @kuba-kubula any advise on this?
from dredd.
I did some prior analysis in #1695 (comment) with suggestion on how to proceed. Looks like yargs as a replacement might be a bit problematic due to licensing (although this may have changed). Last I checked minimist shouldn't be much of a problem, and it's already in the dependency tree albeit an older version.
from dredd.
Related Issues (20)
- [Question] How to send form-data (not file, it's string)? HOT 1
- Skipped tests when using square brackets in get parameter name HOT 5
- Package dependency triggers NPM advisory (1696) HOT 1
- [Suggestion] Add timeout
- vulnerability CVE-2020-7598 is introduced by package minimist HOT 1
- dredd init fails when travis ci integration is requested HOT 1
- API description parser error
- oneOf doesn't work as expected
- [Question] Is it possible to split hooks.js?
- Update latest image on Dockerhub
- Add the ability to issue warnings instead of errors for hyphens in Openapi request parameters.
- Dredd doesn't make consistency check between OpenAPI schema and example
- Improved documentation for running dredd in CI / docker
- Empty body with x-www-form-urlencoded
- Multiple status code exclusion in if statement in webhook
- Issues on Paramaeters Example with Swagger.JSON
- Request library is deprecated
- Head type requests not working HOT 1
- Is `dredd` dead? Please don't abandon this amazing project! HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from dredd.