npm Community Forum (Archive)

The npm community forum has been discontinued.

To discuss usage of npm, visit the GitHub Support Community.

transitive vulnerability yargs < 13.3.0

What I Wanted to Do

We use npm as a package dependency without getting vulnerabilities.

What Happened Instead

The current npm versions have a transitive vulnerabilly to mem@^1.0.0

npm 6.10.2 > libnpx 10.2.0 > yargs 11.1.0 > os-locale 2.1.0 > mem 1.1.0

Reproduction Steps

create a new package.json and add npm package. Now you have the vulnerable mem package.


The dependencies libnpx package should be updated. The vulnerabillity was fixed with yargs@^13.3.0.

Platform Info

$ npm --versions
{ renovate: '0.0.0-semantic-release',
  npm: '6.9.0',
  ares: '1.15.0',
  brotli: '1.0.7',
  cldr: '35.1',
  http_parser: '2.8.0',
  icu: '64.2',
  modules: '64',
  napi: '4',
  nghttp2: '1.34.0',
  node: '10.16.0',
  openssl: '1.1.1b',
  tz: '2019a',
  unicode: '12.1',
  uv: '1.28.0',
  v8: '',
  zlib: '1.2.11' }
$ node -p process.platform