Vulnerability in child dependency for yargs

[chillheart]

• Operating System: Windows 10, Linux, macOS

• Node Version: 12.16.1

• NPM Version: 6.13.4

• webpack-dev-server Version: 3.9.0

• Browser: all

• This is a bug

• This is a modification request

Expected Behavior

webpack-dev-server uses yargs@12.0.5 that has a child dependency (yarg-parser) that contains a known vulnerability. The vulnerability has been patched in and updated in yargs@>13.0.0.0.

For Bugs; How can we reproduce the behavior?

The reproduction steps are available on the vulnerability disclosure.

https://snyk.io/vuln/SNYK-JS-YARGSPARSER-560381

[alexander-akait]

Fixed in deps

[karlhorky]

@evilebottnawi Where was this updated? The latest yargs in the master branch is still 12.0.5:

webpack-dev-server/package.json

Line 71 in 0e9bffb

"yargs": "12.0.5"

I also checked the next branch but that seems like it's unused...

[fturib]

There is a try to fix this vulnerability here #2249
However there is some blur on it really exist or not.

[nathanBrenner]

This needs to be opened back up. This has not been resolved: https://nvd.nist.gov/vuln/detail/CVE-2020-7608