┌───────────────┬──────────────────────────────────────────────────────────────┐ │ High │ minimist before 1.2.2 could be tricked into adding or │ │ │ modifying properties of Object.prototype using a │ │ │ "constructor" or "__proto__" payload. │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Package │ minimist │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Patched in │ 0.2.1||1.2.2 │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Dependency of │ rxjs-tslint [dev] │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Path │ rxjs-tslint > optimist > minimist │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ More info │ http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-75… │ └───────────────┴──────────────────────────────────────────────────────────────┘

optimist depends on minimist, which has this security issue. optimist is no longer maintained and owner wont patch.
Suggest replacing optimist with yargs.
Solution provided here.