From e4765404844a0b6795752b2bc6f9b9107fe713be Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Attila=20Ve=C4=8Derek?= <avecerek@zendesk.com>
Date: Fri, 19 Feb 2021 21:00:43 +0100
Subject: [PATCH 1/5] Update y18n to fix CVE-2020-7774

PR-URL: https://github.com/npm/cli/pull/2737
Credit: @vecerek
Close: #2737
Reviewed-by: @ruyadorno
---
 node_modules/y18n/CHANGELOG.md |  7 +++++++
 node_modules/y18n/index.js     |  2 +-
 node_modules/y18n/package.json | 30 ++++++++++++++++--------------
 package-lock.json              |  6 +++---
 4 files changed, 27 insertions(+), 18 deletions(-)

diff --git a/node_modules/y18n/CHANGELOG.md b/node_modules/y18n/CHANGELOG.md
index c259076ad6da2..a3d5bcd534916 100644
--- a/node_modules/y18n/CHANGELOG.md
+++ b/node_modules/y18n/CHANGELOG.md
@@ -2,6 +2,13 @@
 
 All notable changes to this project will be documented in this file. See [standard-version](https://github.com/conventional-changelog/standard-version) for commit guidelines.
 
+
+### 4.0.1 (2020-11-30)
+
+### Bug Fixes
+
+* address prototype pollution issue ([#108](https://www.github.com/yargs/y18n/issues/108)) ([a9ac604](https://www.github.com/yargs/y18n/commit/a9ac604abf756dec9687be3843e2c93bfe581f25))
+
 <a name="4.0.0"></a>
 # [4.0.0](https://github.com/yargs/y18n/compare/v3.2.1...v4.0.0) (2017-10-10)
 
diff --git a/node_modules/y18n/index.js b/node_modules/y18n/index.js
index d72068162876a..727362aac0664 100644
--- a/node_modules/y18n/index.js
+++ b/node_modules/y18n/index.js
@@ -11,7 +11,7 @@ function Y18N (opts) {
   this.fallbackToLanguage = typeof opts.fallbackToLanguage === 'boolean' ? opts.fallbackToLanguage : true
 
   // internal stuff.
-  this.cache = {}
+  this.cache = Object.create(null)
   this.writeQueue = []
 }
 
diff --git a/node_modules/y18n/package.json b/node_modules/y18n/package.json
index 24016e224a737..a8bab2cc194f8 100644
--- a/node_modules/y18n/package.json
+++ b/node_modules/y18n/package.json
@@ -1,30 +1,32 @@
 {
-  "_from": "y18n@^4.0.0",
-  "_id": "y18n@4.0.0",
+  "_from": "y18n@4.0.1",
+  "_id": "y18n@4.0.1",
   "_inBundle": false,
-  "_integrity": "sha512-r9S/ZyXu/Xu9q1tYlpsLIsa3EeLXXk0VwlxqTcFRfg9EhMW+17kbt9G0NrgCmhGb5vT2hyhJZLfDGx+7+5Uj/w==",
+  "_integrity": "sha512-wNcy4NvjMYL8gogWWYAO7ZFWFfHcbdbE57tZO8e4cbpj8tfUcwrwqSl3ad8HxpYWCdXcJUCeKKZS62Av1affwQ==",
   "_location": "/y18n",
   "_phantomChildren": {},
   "_requested": {
-    "type": "range",
+    "type": "version",
     "registry": true,
-    "raw": "y18n@^4.0.0",
+    "raw": "y18n@4.0.1",
     "name": "y18n",
     "escapedName": "y18n",
-    "rawSpec": "^4.0.0",
+    "rawSpec": "4.0.1",
     "saveSpec": null,
-    "fetchSpec": "^4.0.0"
+    "fetchSpec": "4.0.1"
   },
   "_requiredBy": [
+    "#USER",
+    "/",
     "/cacache",
     "/libnpx",
-    "/npm-profile/cacache",
-    "/npm-registry-fetch/cacache"
+    "/nyc/yargs",
+    "/yargs"
   ],
-  "_resolved": "https://registry.npmjs.org/y18n/-/y18n-4.0.0.tgz",
-  "_shasum": "95ef94f85ecc81d007c264e190a120f0a3c8566b",
-  "_spec": "y18n@^4.0.0",
-  "_where": "/Users/rebecca/code/npm/node_modules/cacache",
+  "_resolved": "https://registry.npmjs.org/y18n/-/y18n-4.0.1.tgz",
+  "_shasum": "8db2b83c31c5d75099bb890b23f3094891e247d4",
+  "_spec": "y18n@4.0.1",
+  "_where": "/Users/ruyadorno/Documents/workspace/cli-release/cli",
   "author": {
     "name": "Ben Coe",
     "email": "ben@npmjs.com"
@@ -66,5 +68,5 @@
     "release": "standard-version",
     "test": "nyc mocha"
   },
-  "version": "4.0.0"
+  "version": "4.0.1"
 }
diff --git a/package-lock.json b/package-lock.json
index dcb81c9349668..7a7815dd944f6 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -6156,9 +6156,9 @@
       "integrity": "sha1-pcbVMr5lbiPbgg77lDofBJmNY68="
     },
     "y18n": {
-      "version": "4.0.0",
-      "resolved": "https://registry.npmjs.org/y18n/-/y18n-4.0.0.tgz",
-      "integrity": "sha512-r9S/ZyXu/Xu9q1tYlpsLIsa3EeLXXk0VwlxqTcFRfg9EhMW+17kbt9G0NrgCmhGb5vT2hyhJZLfDGx+7+5Uj/w=="
+      "version": "4.0.1",
+      "resolved": "https://registry.npmjs.org/y18n/-/y18n-4.0.1.tgz",
+      "integrity": "sha512-wNcy4NvjMYL8gogWWYAO7ZFWFfHcbdbE57tZO8e4cbpj8tfUcwrwqSl3ad8HxpYWCdXcJUCeKKZS62Av1affwQ=="
     },
     "yallist": {
       "version": "3.0.3",

From d1161fbca30d71c8ebf07ae665b9557ceb6bbd42 Mon Sep 17 00:00:00 2001
From: Ruy Adorno <ruyadorno@hotmail.com>
Date: Thu, 25 Mar 2021 13:34:29 -0400
Subject: [PATCH 2/5] docs: changelog for v6.14.12

---
 CHANGELOG.md | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 2541e49d03d34..ee1f7410f2b86 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,3 +1,12 @@
+## 6.14.12 (2021-03-25)
+
+### DEPENDENCIES
+
+* [`e47654048`](https://github.com/npm/cli/commit/e4765404844a0b6795752b2bc6f9b9107fe713be)
+  [#2737](https://github.com/npm/cli/pull/2737)
+  Update y18n to fix CVE-2020-7774
+  ([@vecerek](https://github.com/vecerek))
+
 ## 6.14.11 (2021-01-07)
 ### DEPENDENCIES
 

From cc322b6d4115ef0c76202ebbadfe9b268d87f508 Mon Sep 17 00:00:00 2001
From: Ruy Adorno <ruyadorno@hotmail.com>
Date: Thu, 25 Mar 2021 16:36:13 -0400
Subject: [PATCH 3/5] test: patch git init call

---
 test/tap/git-npmignore.js | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/test/tap/git-npmignore.js b/test/tap/git-npmignore.js
index 2ab7db7304f0f..c01f7aa50acc1 100644
--- a/test/tap/git-npmignore.js
+++ b/test/tap/git-npmignore.js
@@ -152,7 +152,7 @@ function setup (cb) {
 
         var git = escapeArg(gitPath)
 
-        exec(git + ' init', {cwd: dep}, init)
+        exec(git + ' init --initial-branch=main', {cwd: dep}, init)
 
         function init (er, _, stderr) {
           if (er) return cb(er)

From 98fca2db2d2a0e3ac592e29e9f514dd27ca833ab Mon Sep 17 00:00:00 2001
From: Ruy Adorno <ruyadorno@hotmail.com>
Date: Thu, 25 Mar 2021 16:50:32 -0400
Subject: [PATCH 4/5] update AUTHORS

---
 AUTHORS | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/AUTHORS b/AUTHORS
index 6e8890bc3c0e3..d00e81a1f49c7 100644
--- a/AUTHORS
+++ b/AUTHORS
@@ -708,5 +708,7 @@ Sandra Tatarevićová <sandra@tatarevicova.cz>
 Antoine du Hamel <duhamelantoine1995@gmail.com>
 Assaf Sapir <assapir@github.com>
 Lukas Spieß <lumaxis@github.com>
+Darcy Clarke <darcyclarke@GH.local>
 Jim Fisher <jameshfisher@gmail.com>
 Xavier Guimard <yadd@debian.org>
+Attila Večerek <avecerek@zendesk.com>

From f96fa104ff9fcfa37b55599161ed73c15981dbd4 Mon Sep 17 00:00:00 2001
From: Ruy Adorno <ruyadorno@hotmail.com>
Date: Thu, 25 Mar 2021 16:50:32 -0400
Subject: [PATCH 5/5] 6.14.12

---
 package-lock.json | 2 +-
 package.json      | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/package-lock.json b/package-lock.json
index 7a7815dd944f6..6bc8ff8c30840 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -1,6 +1,6 @@
 {
   "name": "npm",
-  "version": "6.14.11",
+  "version": "6.14.12",
   "lockfileVersion": 1,
   "requires": true,
   "dependencies": {
diff --git a/package.json b/package.json
index fdbb33e23cd53..ace575f874cb1 100644
--- a/package.json
+++ b/package.json
@@ -1,5 +1,5 @@
 {
-  "version": "6.14.11",
+  "version": "6.14.12",
   "name": "npm",
   "description": "a package manager for JavaScript",
   "keywords": [