minimist/0.2.1 reported vulnerability with ember-cli in latest LTS version v3.28.5

[gautamkct]

Hi Team,

We are using ember-cli v3.28.5 which internally add minimist/0.2.1 package as transitive dependency that has CVE-2021-44906 vulnerability which preventing us to Go Live. Kindly help us fix this in latest LTS version.

Path : ember-cli/3.28.5 -> bower-config/1.4.3 -> minimist/0.2.1

[ef4]

This vulnerability does not have any impact in ember-cli. minimist only handles trusted input (things you type on your own command line).

Bower support is deprecated in ember-cli 4.x to be removed at 5.0. It's not clear if bower-config is actively maintained. There is an open PR addressing this issue, and if they do a patch release with that fix no changes are required in ember-cli to make the spurious warning go away.

But if they don't, we're going to leave things as they are, because (1) there is no real security impact for ember-cli users, (2) dropping bower support is a breaking change that we won't do until ember-cli 5.0.

If you want to get the vulnerable version of minimist out of your toolchain in order to satisfy a reviewer who doesn't understand nuance, use yarn resolutions or NPM overrides.

[gautamkct]

Thanks for detailed info @ef4

[bertdeblock]

Going to close this one for now. Thanks for reporting!