🚨 [security] Update minimist: 1.2.5 → 1.2.8 (patch)

[depfu]

---

🚨 Your current dependencies have known security vulnerabilities 🚨

This dependency update fixes known security vulnerabilities. Please see the details below and assess their impact carefully. We recommend to merge and deploy this as soon as possible!

---

Here is everything you need to know about this update. Please take a good look at what changed and the test results before merging this pull request.

What changed?

✳️ minimist (1.2.5 → 1.2.8) · Repo · Changelog

Security Advisories 🚨

🚨 Prototype Pollution in minimist

Minimist <=1.2.5 is vulnerable to Prototype Pollution via file index.js, function setKey() (lines 69-95).

Release Notes

1.2.8 (from changelog)

Merged

• [Fix] Fix long option followed by single dash #17
• [Tests] Remove duplicate test #12
• [Fix] opt.string works with multiple aliases #10

Fixed

• [Fix] Fix long option followed by single dash (#17) #15
• [Tests] Remove duplicate test (#12) #8
• [Fix] Fix long option followed by single dash #15
• [Fix] opt.string works with multiple aliases (#10) #9
• [Fix] Fix handling of short option with non-trivial equals #5
• [Tests] Remove duplicate test #8
• [Fix] opt.string works with multiple aliases #9

Commits

• Merge tag 'v0.2.3' a026794
• [eslint] fix indentation and whitespace 5368ca4
• [eslint] fix indentation and whitespace e5f5067
• [eslint] more cleanup 62fde7d
• [eslint] more cleanup 36ac5d0
• [meta] add auto-changelog 73923d2
• [actions] add reusable workflows d80727d
• [eslint] add eslint; rules to enable later are warnings 48bc06a
• [eslint] fix indentation 34b0f1c
• [readme] rename and add badges 5df0fe4
• [Dev Deps] switch from covert to nyc a48b128
• [Dev Deps] update covert, tape; remove unnecessary tap f0fb958
• [meta] create FUNDING.yml; add funding in package.json 3639e0c
• [meta] use npmignore to autogenerate an npmignore file be2e038
• Only apps should have lockfiles 282b570
• isConstructorOrProto adapted from PR ef9153f
• [Dev Deps] update @ljharb/eslint-config, aud 098873c
• [Dev Deps] update @ljharb/eslint-config, aud 3124ed3
• [meta] add safe-publish-latest 4b927de
• [Tests] add aud in posttest b32d9bd
• [meta] update repo URLs f9fdfc0
• [actions] Avoid 0.6 tests due to build failures ba92fe6
• [Dev Deps] update tape 950eaa7
• [Dev Deps] add missing npmignore dev dep 3226afa
• Merge tag 'v0.2.2' 980d7ac

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 52 commits:

• v1.2.8
• Merge tag 'v0.2.3'
• v0.2.3
• [Fix] Fix long option followed by single dash (#17)
• [Tests] Remove duplicate test (#12)
• [eslint] fix indentation
• [Dev Deps] add missing `npmignore` dev dep
• [Dev Deps] update `@ljharb/eslint-config`, `aud`
• [Fix] Fix long option followed by single dash
• [actions] Avoid 0.6 tests due to build failures
• [Dev Deps] update `tape`
• [Fix] opt.string works with multiple aliases (#10)
• [Fix] Fix handling of short option with non-trivial equals
• [Dev Deps] update `@ljharb/eslint-config`, `aud`
• [Tests] Remove duplicate test
• [Fix] opt.string works with multiple aliases
• [eslint] more cleanup
• [eslint] fix indentation and whitespace
• Merge tag 'v0.2.2'
• v0.2.2
• v1.2.7
• [meta] add `auto-changelog`
• [meta] add `auto-changelog`
• [actions] add reusable workflows
• [meta] add `safe-publish-latest`
• [eslint] add eslint; rules to enable later are warnings
• [Tests] add `aud` in `posttest`
• [readme] rename and add badges
• [actions] add reusable workflows
• [meta] add `safe-publish-latest`
• [eslint] add eslint; rules to enable later are warnings
• [Tests] add `aud` in `posttest`
• [readme] rename and add badges
• [Dev Deps] switch from `covert` to `nyc`
• [Dev Deps] switch from `covert` to `nyc`
• [Dev Deps] update `covert`, `tape`; remove unnecessary `tap`
• [Dev Deps] update `covert`, `tape`; remove unnecessary `tap`
• [meta] create FUNDING.yml; add `funding` in package.json
• [meta] use `npmignore` to autogenerate an npmignore file
• [meta] create FUNDING.yml; add `funding` in package.json
• [meta] use `npmignore` to autogenerate an npmignore file
• [meta] update repo URLs
• [meta] update repo URLs
• Only apps should have lockfiles
• Only apps should have lockfiles
• 1.2.6
• security notice for additional prototype pollution issue
• isConstructorOrProto adapted from PR
• [eslint] more cleanup
• [eslint] fix indentation and whitespace
• isConstructorOrProto adapted from PR
• test from prototype pollution PR

↗️ ccxt (indirect, 1.29.24 → 1.24.34) · Repo

Sorry, we couldn't find anything useful about this release.

🆕 @​ekliptor/apputils (added, 0.1.23)

🆕 @​ekliptor/bintrees-local (added, 1.0.9)

🆕 @​ekliptor/bit-models (added, 1.0.92)

🆕 @​ekliptor/bitfinex-api-node-seq (added, 1.1.2)

🆕 @​ekliptor/bitmex-realtime-api-fix (added, 0.4.8)

🆕 @​ekliptor/node-bittrex-api-fix (added, 0.8.4)

🆕 @​ekliptor/reddit-snooper (added, 1.0.2)

---

Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with @depfu rebase.

All Depfu comment commands

@​depfu rebase

Rebases against your default branch and redoes this update

@​depfu recreate

Recreates this PR, overwriting any edits that you've made to it

@​depfu merge

Merges this PR once your tests are passing and conflicts are resolved

@​depfu close

Closes this PR and deletes the branch

@​depfu reopen

Restores the branch and reopens this PR (if it's closed)

@​depfu pause

Ignores all future updates for this dependency and closes this PR

@​depfu pause [minor|major]

Ignores all future minor/major updates for this dependency and closes this PR

@​depfu resume

Future versions of this dependency will create PRs again (leaves this PR as is)