open-cli vulnerability SNYK-JS-YARGSPARSER-560381

[asos-craigmorten]

open-cli has a prototype pollution vulnerability in it's sub-dependency yargs-parser.

Vulnerability details:

• Snyk report: https://snyk.io/vuln/SNYK-JS-YARGSPARSER-560381
• Vuln PoC: https://gist.github.com/Kirill89/dcd8100d010896157a36624119439832
• yargs-parser fix commit: yargs/yargs-parser@63810ca
• CVE: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7608
• CWE: https://cwe.mitre.org/data/definitions/400.html

Current dependency chain:

• open-cli@5.0.0 -> meow@5.0.0 -> yargs-parser@10.1.0

Fix:

• Update package.json to use fixed version of meow (version without vuln currently not available).

[sindresorhus]

I fixed this to silence the warning for people, but I strongly disagree that this is a vulnerability, and also, Snyk is not a trusted source: https://twitter.com/sindresorhus/status/1123986529498664961