[SECURITY] CVE in parse-git-config

[ajfarkas]

Hello! Dependabot alerted me to a prototype pollution vulnerability in parse-git-config. I just want to make sure you're aware of it.

It looks like they are aware of the issue, but do not yet have a fix.

What are your thoughts/plans on mitigating this?

[orta]

No plans, doesn't particularly seem like an exploit you'd be able to use in danger - given that it as already evaluating your on code.

You're welcome to help solve it upstream, then we'll update like other deps

[ajfarkas]

Reasonable.
We're using it on a FOSS project for government, and they have (for now) strict rules about patching.

[AlbertGazizov]

You're welcome to help solve it upstream, then we'll update like other deps

Unfortunately, the upstream repo was not updated for 7 years, and the author doesn't respond jonschlinkert/parse-git-config#15

[ashfurrow]

It seems like the upstream dependency is unlikely to merge the fix. We will need to fork it to resolve the CVE.

@AlbertGazizov do you have any interest in forking? We would need to publish the change to npm as well. Let me know, I can take a crack at it if not 👍

[ryanb93]

@orta PR open to replace this abandoned dependency with the simple-git library #1485