Prototype Pollution introduced due to vulnerable minimist version

[timbru31]

npm audit reports the following:

                       === npm audit security report ===

┌──────────────────────────────────────────────────────────────────────────────┐
│                                Manual Review                                 │
│            Some vulnerabilities require your attention to resolve            │
│                                                                              │
│         Visit https://go.npm.me/audit-guide for additional guidance          │
└──────────────────────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low           │ Prototype Pollution                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ minimist                                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=0.2.1 <1.0.0 || >=1.2.3                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ @wext/shipit [dev]                                           │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ @wext/shipit > web-ext > chrome-launcher > mkdirp > minimist │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/1179                            │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low           │ Prototype Pollution                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ minimist                                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=0.2.1 <1.0.0 || >=1.2.3                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ @wext/shipit [dev]                                           │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ @wext/shipit > web-ext > mkdirp > minimist                   │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/1179                            │
└───────────────┴──────────────────────────────────────────────────────────────┘
found 2 low severity vulnerabilities in 13241 scanned packages
  2 vulnerabilities require manual review. See the full report for details.

This is caused by depending on an old version of web-ext. Unfortunately, a newer web-ext version is not yet released (but fixed in their master).

[LinusU]

There was a patch release released to mkdirp, you should be able to fix this by running:

npm update mkdirp --depth=10

Unfortunately npm audit fix doesn't understand that it can fix it 😬