-
Notifications
You must be signed in to change notification settings - Fork 1.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
minimist/0.2.1 reported vulnerability with ember-cli in latest LTS version v3.28.5 #9901
Comments
This vulnerability does not have any impact in ember-cli. minimist only handles trusted input (things you type on your own command line). Bower support is deprecated in ember-cli 4.x to be removed at 5.0. It's not clear if bower-config is actively maintained. There is an open PR addressing this issue, and if they do a patch release with that fix no changes are required in ember-cli to make the spurious warning go away. But if they don't, we're going to leave things as they are, because (1) there is no real security impact for ember-cli users, (2) dropping bower support is a breaking change that we won't do until ember-cli 5.0. If you want to get the vulnerable version of minimist out of your toolchain in order to satisfy a reviewer who doesn't understand nuance, use yarn resolutions or NPM overrides. |
Thanks for detailed info @ef4 |
Going to close this one for now. Thanks for reporting! |
Hi Team,
We are using ember-cli v3.28.5 which internally add minimist/0.2.1 package as transitive dependency that has CVE-2021-44906 vulnerability which preventing us to Go Live. Kindly help us fix this in latest LTS version.
Path : ember-cli/3.28.5 -> bower-config/1.4.3 -> minimist/0.2.1
The text was updated successfully, but these errors were encountered: