minimist prototype pollution (npm, <1.2.6)
Part of Dependencies & Hygiene, which counts for 10% of the overall score. When this check fires it deducts 15 points from that category, once per scan, no matter how many places it turns up.
What it detects
Flags a manifest pin of minimist below 1.2.6, before CVE-2021-44906's prototype-pollution fix in the argument parser.
Why it matters
minimist before 1.2.6 has a prototype-pollution bug in its command-line argument parser (CVE-2021-44906): a crafted argument like --__proto__.polluted=true can add properties to Object.prototype that affect every object in the process, including ones your own code never touches directly. minimist is an extremely common transitive dependency (pulled in by many CLI tools), so this shows up in dependency trees far more often than most developers realize. This check is a small, hand-picked list of known, historically-significant incidents, not a live CVE feed -- for continuous CVE monitoring, run a dedicated SCA tool (npm audit, pip-audit, OWASP Dependency-Check, Snyk, or similar) against your resolved dependency tree.
How to fix it
Bump minimist to 1.2.6 or later. If it is only a transitive dependency, update the parent package or add an override/resolutions entry forcing 1.2.6+.
The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing
Does your repo trip this check?
Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.
Scan your repo