1 known bug in yargs-parser, with affected versions, fixes and workarounds. Sourced from upstream issue trackers.
| Severity | Affected | Fixed in | Title | Status | Source |
|---|---|---|---|---|---|
| medium | 6.0.0 | 13.1.2 | yargs-parser Vulnerable to Prototype Pollution Affected versions of `yargs-parser` are vulnerable to prototype pollution. Arguments are not properly sanitized, allowing an attacker to modify the prototype of `Object`, causing the addition or modification of an existing property that will exist on all objects.
Parsing the argument `--foo.__proto__.bar baz'` adds a `bar` property with value `baz` to all objects. This is only exploitable if attackers have control over the arguments being passed to `yargs-parser`.
## Recommendation
Upgrade to versions 13.1.2, 15.0.1, 18.1.1 or later. | fixed | osv:GHSA-p9pc-299p-vxgp |
Get this data programmatically \u2014 free, no authentication.
curl https://depscope.dev/api/bugs/npm/yargs-parser