Security vulnerability on dangling dependency of yargs "^4.8.1" #80
Description
Dependabot has picked up a dependency on an old version of yargs from migrate-mongoose^4.0.0.
There is a moderately-severe security vulnerability notice on [email protected]:
The latest possible version that can be installed is 2.4.1 because of the following conflicting dependencies.
The earliest fixed version is 5.0.1.
I'm not exactly sure why the old version is still being resolved by NPM/Yarn but would it be possible to bump that up?
"migrate-mongoose": {
"version": "4.0.0",
"resolved": "https://registry.npmjs.org/migrate-mongoose/-/migrate-mongoose-4.0.0.tgz",
"integrity": "sha512-Zf4Jk+CvBZUrZx4q/vvYr2pRGYAo7RO4BJx/3aTAR9VhNa34/iV0Rhqj87Tflk0n14SgwZpqvixyJzEpmSAikg==",
"requires": {
"bluebird": "^3.3.3",
"colors": "^1.1.2",
"dotenv": "^8.0.0",
"inquirer": "^0.12.0",
"mkdirp": "^0.5.1",
"mongoose": "^5.6.3",
"yargs": "^4.8.1"
}
},
"yargs": {
"version": "4.8.1",
"resolved": "https://registry.npmjs.org/yargs/-/yargs-4.8.1.tgz",
"integrity": "sha1-wMQpJMpKqmsObaFznfshZDn53cA=",
"requires": {
"cliui": "^3.2.0",
"decamelize": "^1.1.1",
"get-caller-file": "^1.0.1",
"lodash.assign": "^4.0.3",
"os-locale": "^1.4.0",
"read-pkg-up": "^1.0.1",
"require-directory": "^2.1.1",
"require-main-filename": "^1.0.1",
"set-blocking": "^2.0.0",
"string-width": "^1.0.1",
"which-module": "^1.0.0",
"window-size": "^0.2.0",
"y18n": "^3.2.1",
"yargs-parser": "^2.4.1"
}
},
"yargs-parser": {
"version": "2.4.1",
"resolved": "https://registry.npmjs.org/yargs-parser/-/yargs-parser-2.4.1.tgz",
"integrity": "sha1-hVaN488VD/SfpRgl8DqMiA3cxcQ=",
"requires": {
"camelcase": "^3.0.0",
"lodash.assign": "^4.0.6"
}
}