You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
npm install nyc does not produce any audit errors, only during npm install from the git repo. This is a via a deep development dependency and it's outside our control. #1314 updates standard-version to latest and refreshes the package-lock.json but this is all that can be done here.
I'm closing this issue as it is does not effect the published package and nothing can be done about it. For your piece of mind this is a false vulnerability report, one of many reported by Snyk lately. They assert that if you run standard-version --foo.__proto__.bar baz the addition of the bar property to all objects demonstrates a vulnerability. Anyone who has access to run CLI arguments can set NODE_OPTIONS=--require=/path/to/hijack-prototype.js even with the yargs-parser "vulnerability" fixed.
Link to bug demonstration repository
https://github.com/istanbuljs/nyc
Expected Behavior
npm audit
does not return any errors (the policy here appears to be that it doesn’t return any errors after annpm audit fix
, which is the case here).Observed Behavior
Troubleshooting steps
git clone https://github.com/istanbuljs/nyc.git
npm audit fix
npm audit
Environment Information
The text was updated successfully, but these errors were encountered: