bump minimist

node_modules/minimist/example/parse.js

@@ -1,2 +1,2 @@
 var argv = require('../')(process.argv.slice(2));
-console.dir(argv);
+console.log(argv);

node_modules/minimist/index.js

@@ -68,12 +68,21 @@ module.exports = function (args, opts) {
 
     function setKey (obj, keys, value) {
         var o = obj;
-        keys.slice(0,-1).forEach(function (key) {
+        for (var i = 0; i < keys.length-1; i++) {
+            var key = keys[i];
+            if (key === '__proto__') return;
             if (o[key] === undefined) o[key] = {};
+            if (o[key] === Object.prototype || o[key] === Number.prototype
+                || o[key] === String.prototype) o[key] = {};
+            if (o[key] === Array.prototype) o[key] = [];
             o = o[key];
-        });
+        }
 
         var key = keys[keys.length - 1];
+        if (key === '__proto__') return;
+        if (o === Object.prototype || o === Number.prototype
+            || o === String.prototype) o = {};
+        if (o === Array.prototype) o = [];
         if (o[key] === undefined || flags.bools[key] || typeof o[key] === 'boolean') {
             o[key] = value;
         }
@@ -171,7 +180,7 @@ module.exports = function (args, opts) {
                     setArg(key, args[i+1], arg);
                     i++;
                 }
-                else if (args[i+1] && /true|false/.test(args[i+1])) {
+                else if (args[i+1] && /^(true|false)$/.test(args[i+1])) {
                     setArg(key, args[i+1] === 'true', arg);
                     i++;
                 }

node_modules/minimist/package.json

@@ -1,27 +1,27 @@
 {
-  "_from": "minimist@^1.2.0",
+  "_from": "minimist@^1.2.2",
-  "_id": "minimist@1.2.0",
+  "_id": "minimist@1.2.5",
   "_inBundle": false,
-  "_integrity": "sha1-o1AIsg9BOD7sH7kU9M1d95omQoQ=",
+  "_integrity": "sha512-FM9nNUYrRBAELZQT3xeZQ7fmMOBg6nWNmJKTcgsJeaLstP/UODVpGsr5OhXhhXg6f+qtJ8uiZ+PUxkDWcgIXLw==",
   "_location": "/minimist",
   "_phantomChildren": {},
   "_requested": {
     "type": "range",
     "registry": true,
-    "raw": "minimist@^1.2.0",
+    "raw": "minimist@^1.2.2",
     "name": "minimist",
     "escapedName": "minimist",
-    "rawSpec": "^1.2.0",
+    "rawSpec": "^1.2.2",
     "saveSpec": null,
-    "fetchSpec": "^1.2.0"
+    "fetchSpec": "^1.2.2"
   },
   "_requiredBy": [
     "/"
   ],
-  "_resolved": "https://registry.npmjs.org/minimist/-/minimist-1.2.0.tgz",
+  "_resolved": "https://registry.npmjs.org/minimist/-/minimist-1.2.5.tgz",
-  "_shasum": "a35008b20f41383eec1fb914f4cd5df79a264284",
+  "_shasum": "67d66014b66a6a8aaa0c083c5fd58df4e4e97602",
-  "_spec": "minimist@^1.2.0",
+  "_spec": "minimist@^1.2.2",
-  "_where": "F:\\projects\\p\\minifyfromhtml",
+  "_where": "/home/s2/Code/minifyfromhtml",
   "author": {
     "name": "James Halliday",
     "email": "mail@substack.net",
@@ -69,5 +69,5 @@
       "opera/12"
     ]
   },
-  "version": "1.2.0"
+  "version": "1.2.5"
 }

node_modules/minimist/readme.markdown

@@ -5,15 +5,11 @@ parse argument options
 This module is the guts of optimist's argument parser without all the
 fanciful decoration.
 
-[![browser support](https://ci.testling.com/substack/minimist.png)](http://ci.testling.com/substack/minimist)
-
-[![build status](https://secure.travis-ci.org/substack/minimist.png)](http://travis-ci.org/substack/minimist)
-
 # example
 
 ``` js
 var argv = require('minimist')(process.argv.slice(2));
-console.dir(argv);
+console.log(argv);
 ```
 
 ```
@@ -33,6 +29,13 @@ $ node example/parse.js -x 3 -y 4 -n5 -abc --beep=boop foo bar baz
   beep: 'boop' }
 ```
 
+# security
+
+Previous versions had a prototype pollution bug that could cause privilege
+escalation in some circumstances when handling untrusted user input.
+
+Please use version 1.2.3 or later: https://snyk.io/vuln/SNYK-JS-MINIMIST-559764
+
 # methods
 
 ``` js
@@ -65,19 +68,20 @@ argument names to use as aliases
 first non-option
 * `opts['--']` - when true, populate `argv._` with everything before the `--`
 and `argv['--']` with everything after the `--`. Here's an example:
+
+  ```
+  > require('./')('one two three -- four five --six'.split(' '), { '--': true })
+  { _: [ 'one', 'two', 'three' ],
+    '--': [ 'four', 'five', '--six' ] }
+  ```
+
+  Note that with `opts['--']` set, parsing for arguments still stops after the
+  `--`.
+
 * `opts.unknown` - a function which is invoked with a command line parameter not
 defined in the `opts` configuration object. If the function returns `false`, the
 unknown option is not added to `argv`.
 
-```
-> require('./')('one two three -- four five --six'.split(' '), { '--': true })
-{ _: [ 'one', 'two', 'three' ],
-  '--': [ 'four', 'five', '--six' ] }
-```
-
-Note that with `opts['--']` set, parsing for arguments still stops after the
-`--`.
-
 # install
 
 With [npm](https://npmjs.org) do:

node_modules/minimist/test/bool.js

@@ -164,3 +164,15 @@ test('boolean --boool=false', function (t) {
     t.same(parsed.boool, false);
     t.end();
 });
+
+test('boolean using something similar to true', function (t) {
+    var opts = { boolean: 'h' };
+    var result = parse(['-h', 'true.txt'], opts);
+    var expected = {
+        h: true,
+        '_': ['true.txt']
+    };
+
+    t.same(result, expected);
+    t.end();
+});

node_modules/minimist/test/proto.js

@@ -0,0 +1,44 @@
+var parse = require('../');
+var test = require('tape');
+
+test('proto pollution', function (t) {
+    var argv = parse(['--__proto__.x','123']);
+    t.equal({}.x, undefined);
+    t.equal(argv.__proto__.x, undefined);
+    t.equal(argv.x, undefined);
+    t.end();
+});
+
+test('proto pollution (array)', function (t) {
+    var argv = parse(['--x','4','--x','5','--x.__proto__.z','789']);
+    t.equal({}.z, undefined);
+    t.deepEqual(argv.x, [4,5]);
+    t.equal(argv.x.z, undefined);
+    t.equal(argv.x.__proto__.z, undefined);
+    t.end();
+});
+
+test('proto pollution (number)', function (t) {
+    var argv = parse(['--x','5','--x.__proto__.z','100']);
+    t.equal({}.z, undefined);
+    t.equal((4).z, undefined);
+    t.equal(argv.x, 5);
+    t.equal(argv.x.z, undefined);
+    t.end();
+});
+
+test('proto pollution (string)', function (t) {
+    var argv = parse(['--x','abc','--x.__proto__.z','def']);
+    t.equal({}.z, undefined);
+    t.equal('...'.z, undefined);
+    t.equal(argv.x, 'abc');
+    t.equal(argv.x.z, undefined);
+    t.end();
+});
+
+test('proto pollution (constructor)', function (t) {
+    var argv = parse(['--constructor.prototype.y','123']);
+    t.equal({}.y, undefined);
+    t.equal(argv.y, undefined);
+    t.end();
+});

package-lock.json

@@ -406,9 +406,9 @@
       }
     },
     "minimist": {
-      "version": "1.2.0",
+      "version": "1.2.5",
-      "resolved": "https://registry.npmjs.org/minimist/-/minimist-1.2.0.tgz",
+      "resolved": "https://registry.npmjs.org/minimist/-/minimist-1.2.5.tgz",
-      "integrity": "sha1-o1AIsg9BOD7sH7kU9M1d95omQoQ="
+      "integrity": "sha512-FM9nNUYrRBAELZQT3xeZQ7fmMOBg6nWNmJKTcgsJeaLstP/UODVpGsr5OhXhhXg6f+qtJ8uiZ+PUxkDWcgIXLw=="
     },
     "nwsapi": {
       "version": "2.2.0",

package.json

@@ -11,7 +11,7 @@
   "dependencies": {
     "clean-css": "^4.2.3",
     "jsdom": "^14.0.0",
-    "minimist": "^1.2.0",
+    "minimist": "^1.2.2",
     "terser": "^4.6.3"
   },
   "repository": {