From 72313f011d87c449dfb40909fd9689635980ce3c Mon Sep 17 00:00:00 2001 From: Whymarrh Whitby Date: Mon, 31 Aug 2020 21:54:06 -0230 Subject: [PATCH] Use derequire@2.1.1 (#9332) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This change updates `derequire` to address a low-severity security advisory with `yargs-parser`. See https://www.npmjs.com/advisories/1500 for more information. The `yarn audit` output: ``` ┌───────────────┬──────────────────────────────────────────────────────────────┐ │ low │ Prototype Pollution │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Package │ yargs-parser │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Patched in │ >=13.1.2 <14.0.0 || >=15.0.1 <16.0.0 || >=18.1.2 │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Dependency of │ browserify-derequire │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Path │ browserify-derequire > derequire > yargs > yargs-parser │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ More info │ https://www.npmjs.com/advisories/1500 │ └───────────────┴──────────────────────────────────────────────────────────────┘ ``` --- package.json | 1 + yarn.lock | 43 ++++++------------------------------------- 2 files changed, 7 insertions(+), 37 deletions(-) diff --git a/package.json b/package.json index 61501e9e7..1e6045c69 100644 --- a/package.json +++ b/package.json @@ -58,6 +58,7 @@ "**/socketcluster/minimist": "^1.2.5", "3box/ipfs/ipld-zcash/zcash-bitcore-lib/lodash": "^4.17.19", "3box/ipfs/ipld-zcash/zcash-bitcore-lib/elliptic": "^6.5.3", + "browserify-derequire/derequire": "^2.1.1", "ganache-core/lodash": "^4.17.19" }, "dependencies": { diff --git a/yarn.lock b/yarn.lock index 9877f1d49..b42738ecd 100644 --- a/yarn.lock +++ b/yarn.lock @@ -3500,11 +3500,6 @@ acorn@^3.0.4: resolved "https://registry.yarnpkg.com/acorn/-/acorn-3.3.0.tgz#45e37fb39e8da3f25baee3ff5369e2bb5f22017a" integrity sha1-ReN/s56No/JbruP/U2niu18iAXo= -acorn@^4.0.3: - version "4.0.13" - resolved "https://registry.yarnpkg.com/acorn/-/acorn-4.0.13.tgz#105495ae5361d697bd195c825192e1ad7f253787" - integrity sha1-EFSVrlNh1pe9GVyCUZLhrX8lN4c= - acorn@^6.0.1, acorn@^6.0.2, acorn@^6.0.7, acorn@^6.2.1: version "6.4.1" resolved "https://registry.yarnpkg.com/acorn/-/acorn-6.4.1.tgz#531e58ba3f51b9dacb9a6646ca4debf5b14ca474" @@ -8873,16 +8868,16 @@ deps-sort@^2.0.0: subarg "^1.0.0" through2 "^2.0.0" -derequire@2.0.6: - version "2.0.6" - resolved "https://registry.yarnpkg.com/derequire/-/derequire-2.0.6.tgz#31a414bb7ca176239fa78b116636ef77d517e768" - integrity sha1-MaQUu3yhdiOfp4sRZjbvd9UX52g= +derequire@2.0.6, derequire@^2.1.1: + version "2.1.1" + resolved "https://registry.yarnpkg.com/derequire/-/derequire-2.1.1.tgz#342527ff5a460d4dd6745085e4091a4697a6803c" + integrity sha512-5hGVgKAEGhSGZM02abtkwDzqEOXun1dP9Ocw0yh7Pz7j70k4SNk7WURm93YyHbs2PcieRyX8m4ta1glGakw84Q== dependencies: - acorn "^4.0.3" + acorn "^7.1.1" concat-stream "^1.4.6" escope "^3.6.0" through2 "^2.0.0" - yargs "^6.5.0" + yargs "^15.3.1" des.js@^1.0.0: version "1.0.0" @@ -28295,13 +28290,6 @@ yargs-parser@^18.1.1, yargs-parser@^18.1.2, yargs-parser@^18.1.3: camelcase "^5.0.0" decamelize "^1.2.0" -yargs-parser@^4.2.0: - version "4.2.1" - resolved "https://registry.yarnpkg.com/yargs-parser/-/yargs-parser-4.2.1.tgz#29cceac0dc4f03c6c87b4a9f217dd18c9f74871c" - integrity sha1-KczqwNxPA8bIe0qfIX3RjJ90hxw= - dependencies: - camelcase "^3.0.0" - yargs-parser@^5.0.0: version "5.0.0" resolved "https://registry.yarnpkg.com/yargs-parser/-/yargs-parser-5.0.0.tgz#275ecf0d7ffe05c77e64e7c86e4cd94bf0e1228a" @@ -28407,25 +28395,6 @@ yargs@^15.3.1: y18n "^4.0.0" yargs-parser "^18.1.2" -yargs@^6.5.0: - version "6.6.0" - resolved "https://registry.yarnpkg.com/yargs/-/yargs-6.6.0.tgz#782ec21ef403345f830a808ca3d513af56065208" - integrity sha1-eC7CHvQDNF+DCoCMo9UTr1YGUgg= - dependencies: - camelcase "^3.0.0" - cliui "^3.2.0" - decamelize "^1.1.1" - get-caller-file "^1.0.1" - os-locale "^1.4.0" - read-pkg-up "^1.0.1" - require-directory "^2.1.1" - require-main-filename "^1.0.1" - set-blocking "^2.0.0" - string-width "^1.0.2" - which-module "^1.0.0" - y18n "^3.2.1" - yargs-parser "^4.2.0" - yargs@^7.1.0: version "7.1.0" resolved "https://registry.yarnpkg.com/yargs/-/yargs-7.1.0.tgz#6ba318eb16961727f5d284f8ea003e8d6154d0c8"