rc is unhealthy dependency

[KillyMXI]

rc package seems to be abandoned by it's author years ago and doesn't get the security updates : https://github.com/dominictarr/rc/issues

If it can't be brought back to life then it would be better to replace it with something else.

[stieben]

tl;dr: I suggest to replace the rc dependency with the fork run-con.

GitHub has published an advisory on 10 Dec 2020 (CVE-2020-7788):

The ini npm package before version 1.3.6 has a Prototype Pollution vulnerability.

The latest version of rc (currently 3 years old) – and by extension the latest version of markdownlint-cli – uses a version of ini below 1.3.6 and is thus affected by the vulnerability. The maintainer of rc, @dominictarr, has expressed 2 months ago that he will not update his rc package to use a newer version of ini – which confirms that rc is indeed an unhealthy dependency.

@goatandsheep has created the fork run-con that looks like a viable alternative.

[stieben]

I have to correct my previous comment that was based on a wrong understanding of semver. The ini version in the latest rc is defined as ~1.3.0 which is equivalent to 1.3.x, so there should actually be no need for an update of rc, at least in the context of the Prototype Pollution vulnerability mentioned above. Sorry for that.

Switching to the fork may still be the better option because its maintainer looks more eager to maintain it.