Replace optimist with minimist

[tiye]

For known reasons we want to get rid of old versions of minimist from our projects. And I looked into dependency then found http-server is relying on optimist, which is a deprecated package, and optimist relies on very old version of minimist. https://github.com/substack/node-optimist/blob/master/package.json#L8

I'm a yarn user and I received lots of warnings since I used http-server in my projects, a lot... A viable solution might be reinstalling http-server and for some reason newer version of minimist can be installed and the warn will be gone.

Is there anytime to do on http-server side?

[thornjad]

I completely sympathize with the headache of old packages in dependency trees! I'll take a look into fixing that on our side if I can!

[besenwagen]

we want to get rid of old versions of minimist

Just a note, packages that depend on the current version of minimist (1.2.5) do not pass the audit either although the report claims it does:

Patched in >=0.2.1 <1.0.0 || >=1.2.3

OK, scrap that. npm ls minimist omits some deduped dependencies for me. 🙄 Analyzing Path in the audit report per reported vulnerability is cumbersome but apparently necessary.

[thornjad]

So I've been able to upgrade several instances of minimist in the dependency tree. Many of them won't make a difference, they'll need you (the user) to re-install http-server to pick up the dependency changes. One upgrade did actually make a change I can control though and I'll add that to the next release.

However, the initial findings are right that the stubborn one is depended on by optimist. That will take a little more work to swap out, though I have actually done the switch from optimist to minimist before, so I know where to start.

[karlhorky]

I guess #131 or #464 would replace optimist, maybe one of those can be cleaned up and merged?

[yetzt]

@substack just has to press the merge-button here https://github.com/substack/node-optimist/issues/152