Skip to content

build: update minimist to 1.2.6 #22875

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 4 commits into from
Mar 23, 2022
Merged

build: update minimist to 1.2.6 #22875

merged 4 commits into from
Mar 23, 2022

Conversation

alan-agius4
Copy link
Collaborator

No description provided.

@alan-agius4 alan-agius4 added the target: lts This PR is targeting a version currently in long-term support label Mar 22, 2022
@alan-agius4 alan-agius4 requested a review from dgp1130 March 22, 2022 12:24
@micalevisk
Copy link

looks like 1.2.6 still has the pollution vulnerability: https://snyk.io/test/npm/minimist/1.2.6

You guys could use an up-to-date fork of minimist: minimist-lite btw

@alan-agius4
Copy link
Collaborator Author

alan-agius4 commented Mar 22, 2022
edited
Loading

Hi @micalevisk,

Thanks for bringing that up. In that case let's just wait for another release by minimist to address the vulnerability.

That said, it is important to point out that we don't expect the CLI to run in production environments where this vulnerability can be exploited.

@alan-agius4 alan-agius4 removed the request for review from dgp1130 March 22, 2022 15:31
@micalevisk
Copy link

actually, I guess 1.2.6 is fine: https://github.com/substack/minimist/issues/164#issuecomment-1075404795

@alan-agius4
Copy link
Collaborator Author

Yeah looks like 1.2.6 is not vulnerable. https://snyk.io/vuln/npm:minimist

@alan-agius4 alan-agius4 requested review from clydin and dgp1130 and removed request for clydin March 23, 2022 10:08
@alan-agius4 alan-agius4 added the action: review The PR is still awaiting reviews from at least one requested reviewer label Mar 23, 2022
@alan-agius4 alan-agius4 added action: merge The PR is ready for merge by the caretaker and removed action: review The PR is still awaiting reviews from at least one requested reviewer labels Mar 23, 2022
@dgp1130 dgp1130 merged commit f23ba6d into angular:11.2.x Mar 23, 2022
@alan-agius4 alan-agius4 deleted the minimist-11 branch March 23, 2022 20:16
@dgp1130 dgp1130 mentioned this pull request Mar 24, 2022
Merged
@angular-automatic-lock-bot
Copy link

This issue has been automatically locked due to inactivity.
Please file a new issue if you are encountering a similar or related problem.

Read more about our automatic conversation locking policy.

This action has been performed automatically by a bot.

@angular-automatic-lock-bot angular-automatic-lock-bot bot locked and limited conversation to collaborators Apr 26, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@dgp1130 dgp1130 dgp1130 approved these changes

Assignees
No one assigned
Labels
action: merge The PR is ready for merge by the caretaker target: lts This PR is targeting a version currently in long-term support
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@alan-agius4 @micalevisk @dgp1130