yargs-parser vulnerabilities #108
Comments
|
Would be great to get a fix soon 👍 |
|
hey @xzyfer - I see node-sass attempts to keep a huge amount of node backcompat but there are no patched versions of yargs with explicit support for < node 4. I feel I've been staring at different version specifiers and dependency trees for so long I'm not sure of the best way forward. A possible option would be to split the cli-part of this repo out from the API? It seems there is no requirement to push yargs as a dependency down the tree for consumers that are only using this as an API. |
|
Hey @thomas-mcdonald I've been giving this some thought also, hence the delayed patch. As you've said node-sass maintains BC back node 0.10 - however it does not utilise the sass-graph cli. I have considered splitting out the cli function as you've also suggested but have decided against creating more ongoing work for myself. I think in this case we're ok to just bump the yargs dep. Node-sass BC should be fine since we shouldn't be excerising the yargs code paths. |
|
Note well also want to bump yargs dependency on the V2 branch since that's the version line node-sass currently uses |
|
Released as 3.0.5 and 2.2.5 |
can you please update your packages?
help a homie out :)
The text was updated successfully, but these errors were encountered: