Vulnerability in optimist: consider replacing

I'm getting a dependabot alert for minimist < 0.2.1: [CVE-2020-7598][].

Currently, ejs-cli depends on [optimist][] 0.6.1, which depends on [minimist][] 0.0.10.

Optimist appears to have been abandoned, and has a deprecation notice directing users to [yargs][] or [nomnom][].

You may want to consider replacing optimist with yargs. While it's not a trivial change, it doesn't look too complex — I made [an attempt on a fork of this repository][fork], but ejs-cli has stopped working in my project, so I can't test it properly.

[CVE-2020-7598]: https://github.com/advisories/GHSA-vh95-rmgr-6w4m
[optimist]: https://github.com/substack/node-optimist
[minimist]: https://npmjs.org/package/minimist
[yargs]: https://github.com/chevex/yargs
[nomnom]: https://github.com/harthur/nomnom
[fork]: https://github.com/ngsctt/ejs-cli/tree/optimist-to-yargs

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Vulnerability in optimist: consider replacing #28

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

Vulnerability in optimist: consider replacing #28

Description

Metadata

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

Issue actions