grunt-cli high severity vulnerability

$ npm audit
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High          │ Prototype Pollution                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ set-value                                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ grunt-cli [dev]                                              │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ grunt-cli > liftoff > findup-sync > micromatch > braces >    │
│               │ snapdragon > base > cache-base > set-value                   │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/1012                            │
└───────────────┴──────────────────────────────────────────────────────────────┘

Jul 18 '19 16:07 mcandre

Strange on a fresh install I don't see that: Screen Shot 2019-07-18 at 10 04 17 AM

But [email protected] does get installed. Even when installing the latest liftoff so we might need wait for https://github.com/js-cli/js-liftoff/issues/107 to be resolved and then update here.

Jul 18 '19 17:07 shama

Something weird is going on. When I run npm audit against grunt-cli master branch, I get no warnings. But when I import grunt-cli 1.3.2 into another project, I get dozens of warnings for grunt-cli dependencies.

Regards liftoff, the project has lapsed. I published a fork with the security patches:

https://www.npmjs.com/package/liftoff2

May 05 '20 22:05 mcandre

Closing, because use of liftoff was temporary while issues with liftoff were addressed. https://github.com/gulpjs/liftoff has resumed maintenance since then, and is used by grunt-cli 1.4.2+.

Jun 09 '24 23:06 Krinkle