transitive dependency 'minimist' needs to be updated by rebuilding

[jacalata]

This is not AFAIK an actual security vulnerability, but this package bundles a package that has a security vulnerability. My company tries to maintain a baseline of 0 'critical' vulnerabilities as labelled by yarn audit, but we have installed something that includes the json5 package and has flagged this for us. GHSA-xvch-5gv4-984h

From reading the package-lock.json file, I believe that it is sitting on minimist 1.2.5 only because that was the latest version at the time of build: the packages that include it all use semver syntax like ^1.2.2, so simply re-running npm install or equivalent should bring in minimist 1.2.6 with the fix.

[jordanbtucker]

Thanks for reporting this. Both of the latest supported versions of json5 contain zero runtime dependencies. The latest supported versions are v1.0.2 and v2.2.3.

This means that, when using json5 as a library or a CLI (e.g. when running npm install json5 / yarn add json5) json5 has zero dependencies. Only when you install json5 in development mode (e.g. cloning this repo then running npm install / yarn install inside the directory) will json5 require any dependencies.

Since json5 is considered feature complete for the moment, this project is not in active development, so dev dependencies will not be updated.

If a package manager (npm, yarn, etc.) is reporting a security vulnerability for json5, please ensure that a latest supported version of json5 is installed and ensure that the package manager is not including json5's dev dependencies in its audit.