vulnerability CVE-2020-7598 is introduced by package minimist

[ayaka-kms]

Hi, @honzajavorek @artem-zakharchenko, a vulnerability CVE-2020-7598 is introduced in ● dredd@14.0.0 via:
● dredd@14.0.0 ➔ optimist@0.6.1 ➔ minimist@0.0.10

However, optimist is a legacy package, which has not been maintained for about 8 years.
Is it possible to migrate optimist to other package to remediate this vulnerability?

I noticed several migration records in other js repo for dredd:

1. in handlebars, version 4.7.3-->4.7.4, migrate optimist to yargs via commit
2. in db-migrate, version 1.0.0-beta.2-->1.0.0-beta.3, migrate optimist to yargs via commit
3. in http-server, version 0.12.1-->0.12.2, deprecated optimist and directly use minimist via commit

Thanks.

[honzajavorek]

Thanks @ayaka-kms for bringing this up! I vaguely remember pushing some changes in Dredd so that we could replace optimist, e.g. with yargs. It's been a few years though and I'm not actively participating on Dredd anymore, so I can't say how much is missing now.

That said, the CVE you mention is something quite unlikely to affect Dredd users, given the nature of how optimist is used and how Dredd is typically being executed. Correct me if I'm wrong and there is a real attack vector, which could actually cause damage.