security: update minimist and geojson-rewind to avoid CVE-2021-44906

[Spasfonx]

Update dependencies on old versions of mapbox-gl-js (1.13.2) to avoid GHSA-xvch-5gv4-984h issue.

Edit: This fix is for old version of mapbox-gl-js (1.3.2)

[stepankuzmin]

Looks good to me, thanks @Spasfonx!

[stepankuzmin]

Sorry, missed that the PR was made to the release-v1.13.2 branch. What is your intent here? The minimist is only used as a dev dependency, so it wouldn't affect the library builds that were previously made.

[Spasfonx]

Thanks for your review ! Watch out, this fix apply only for old versions (1.x.x), I pointed at release-v1.13.2 because it was the last branch associated with the version 1.3.2 but maybe you have better branch to merge on :)

[Spasfonx]

stepankuzmin we reply at the same time héhé. Indeed it was my intent, the main update here for security is through geojson-rewind (which update minimist in 1.2.6 too). Because of this package we have audit issue in main dependencies even if this is a dev package juste by importing mapbox-gl-js@1.3.2

[stepankuzmin]

I see, thanks! Thanks for the contribution, but I'll close this PR since it doesn't affect the users. Sorry for the confusion.

[stepankuzmin]

Ah, so there is a security alert when you use the 1.x version? We should update it then.

[Spasfonx]

Yes indeed, sorry, the body of the issue lack of context maybe, my bad ! Here my yarn audit --groups dependencies log with mapbox-gl: 1.13.2 in our package.json

[Spasfonx]

Hello there, happy new year everyone ! 🎉

Some news on this update ?

[pascaloliv]

The changes looks good to me too. 👍 Well done @Spasfonx 🎉

[SnailBones]

Happy new year all and thanks for the PR @Spasfonx ! 🎉

Also looks good to me! Though, we may want to make a new branch for the release. We're aiming to get a release with the update out next week.

[Spasfonx]

Oh great ! Thanks you very much guys 💪

[stepankuzmin]

Thanks, everyone! This is now fixed in the v1.13.3 release.

[Spasfonx]

Thank you guys, perfect ! 🙏