Security Vulnerability Issue

[iadibar]

Im using webfont package that dependent on meow. meow dependent on yargs-parser.
when I scan my app (with Veracode sca) I getting Command Injection Vulnerability from yargs-parser version 10.1.0,
They suggest updating yargs-parser to [email protected], so that it is not vulnerable version, but I can not do it in my code because the dependencies are inside your code so I'll be happy if you can update your meow to latest version(inside webfont package.json
dependency).

screen shot from veracode SCA
error : Prototype Pollution yargs-parser is vulnerable to prototype pollution. The attack exists as it does not properly sanitize the key value provided by users, allowing the malicious properties of Object.prototype to be parsed or modified using a proto payload.

[ghost]

This is a dupe of #302 - it's fixed in the master branch, just waiting for a release.

[jimmyandrade]

@iadibar thanks for reporting. Webfont 10 was released, and I think that this issue was resolved. Could you please check it out? Thanks!

[jimmyandrade]

This is a dupe of #302 - it's fixed in the master branch, just waiting for a release.

@iainbethune Thanks for helping us with issues maintenance! :)

[wkeese]

Looks like this is fixed in 11.2.26 (or earlier), I think you can close this ticket.