All the vulnerabilities related to the version 0.1.0 of the package
Regular Expression Denial of Service in string package
Affected versions of string are vulnerable to regular expression denial of service when specifically crafted untrusted user input is passed into the underscore or unescapeHTML methods.
There is currently no direct patch for this vulnerability.
Currently, the best solution is to avoid passing user input to the underscore and unescapeHTML methods.
Alternatively, a user provided patch is available in Pull Request #217, however this patch has not been tested, nor has it been merged by the package author.
yargs-parser Vulnerable to Prototype Pollution
Affected versions of yargs-parser are vulnerable to prototype pollution. Arguments are not properly sanitized, allowing an attacker to modify the prototype of Object, causing the addition or modification of an existing property that will exist on all objects.
Parsing the argument --foo.__proto__.bar baz' adds a bar property with value baz to all objects. This is only exploitable if attackers have control over the arguments being passed to yargs-parser.
Upgrade to versions 13.1.2, 15.0.1, 18.1.1 or later.
