Description
Security Vulnerability Warning: minimist Version 0.0.10
Description:
The forever package version 4.0.3 uses a library called flatiron version 0.4.3, which in turn uses nconf version 0.6.9. The nconf library version 0.6.9 contains optimist version 0.6.0, which includes minimist version 0.0.10. The minimist version 0.0.10 has a known security vulnerability (CVE-2021-44906). Also flatiron relies directly on "optimist": "0.6.0"
dependencies:
forever 4.0.3
├── async 1.5.2
├─┬ flatiron 0.4.3
│ ├─┬ broadway 0.3.6
│ │ ├─┬ nconf 0.6.9
│ │ │ ├── async 0.2.9
│ │ │ ├── ini 1.3.8
│ │ │ └─┬ optimist 0.6.0
│ │ │ ├── minimist 0.0.10 <--
│ │ │ └── wordwrap 0.0.3
│ │ ├─┬ utile 0.2.1
│ │ ...
│ ├── director 1.2.7
│ ├─┬ optimist 0.6.0
│ │ ├── minimist 0.0.10 <--
│ │ └── wordwrap 0.0.3
│ └─┬ prompt 0.2.14
│ ├── pkginfo 0.4.1
Impact:
The vulnerability in minimist version 0.0.10 can potentially be exploited, leading to security risks in your application.
Solution:
There is a new version of nconf (version 0.12.1) that includes a newer version of minimist (greater or equal to 1.2.6) which addresses this security vulnerability. It is recommended to update to nconf version 0.12.1 to mitigate this issue. But flatiron is no longer actively maintained, so it's best to search for a replacement.
References:
Action Required:
Please search for an alternative for flatiron.
Thank you for your attention to this matter.