Update to minimist v1.2.3+

[ben-coble-sp]

🛑🛑🛑🛑🛑🛑🛑🛑🛑🛑🛑🛑🛑🛑🛑🛑🛑🛑🛑🛑🛑🛑🛑🛑🛑🛑🛑

Please read https://angular.io/guide/security#report-issues on how to disclose security related issues.

🛑🛑🛑🛑🛑🛑🛑🛑🛑🛑🛑🛑🛑🛑🛑🛑🛑🛑🛑🛑🛑🛑🛑🛑🛑🛑🛑

npm audit command is reporting a new vulnerability in an angular/cli dev dependency. This does not appear critical but it does affect my company's internal tooling that requires passing npm audits.

https://www.npmjs.com/advisories/1179 - moderate vulnerability in minimist pre v1.2.3

[braydonharris]

+1 same here

[9034725985]

github reports both acorn and minimist

here's my yarn why

[kushal@ideapadflex-kushal ondotnetangularfrontend]$ yarn why acorn
yarn why v1.22.4
[1/4] Why do we have the module "acorn"...?
[2/4] Initialising dependency graph...
[3/4] Finding dependency...
[4/4] Calculating file sizes...
=> Found "acorn@6.4.0"
info Reasons this module exists
   - "@angular-devkit#build-angular#webpack" depends on it
   - Hoisted from "@angular-devkit#build-angular#webpack#acorn"
info Disk size without dependencies: "1.08MB"
info Disk size with unique dependencies: "1.08MB"
info Disk size with transitive dependencies: "1.08MB"
info Number of shared dependencies: 0
=> Found "rollup#acorn@7.1.0"
info This module exists because "@angular-devkit#build-angular#rollup" depends on it.
info Disk size without dependencies: "1.08MB"
info Disk size with unique dependencies: "1.08MB"
info Disk size with transitive dependencies: "1.08MB"
info Number of shared dependencies: 0
Done in 0.66s.
[kushal@ideapadflex-kushal ondotnetangularfrontend]$ yarn why minimist
yarn why v1.22.4
[1/4] Why do we have the module "minimist"...?
[2/4] Initialising dependency graph...
[3/4] Finding dependency...
[4/4] Calculating file sizes...
=> Found "minimist@1.2.0"
info Has been hoisted to "minimist"
info Reasons this module exists
   - Hoisted from "json5#minimist"
   - Hoisted from "@angular#compiler-cli#minimist"
   - Hoisted from "protractor#blocking-proxy#minimist"
   - Hoisted from "protractor#webdriver-manager#minimist"
   - Hoisted from "@angular-devkit#build-angular#loader-utils#json5#minimist"
info Disk size without dependencies: "96KB"
info Disk size with unique dependencies: "96KB"
info Disk size with transitive dependencies: "96KB"
info Number of shared dependencies: 0
=> Found "mkdirp#minimist@0.0.8"
info This module exists because "cacache#mkdirp" depends on it.
info Disk size without dependencies: "72KB"
info Disk size with unique dependencies: "72KB"
info Disk size with transitive dependencies: "72KB"
info Number of shared dependencies: 0
=> Found "optimist#minimist@0.0.10"
info This module exists because "karma#optimist" depends on it.
info Disk size without dependencies: "80KB"
info Disk size with unique dependencies: "80KB"
info Disk size with transitive dependencies: "80KB"
info Number of shared dependencies: 0
Done in 0.65s.

Associated git commit ondotnet/angularfrontend@9da071c

[alan-agius4]

Blocking as this needs to be fixed upstream by several direct and transitive dependencies.

npm audit
                                                                                
                       === npm audit security report ===                        
                                                                                
                                                                                
                                 Manual Review                                  
             Some vulnerabilities require your attention to resolve             
                                                                                
          Visit https://go.npm.me/audit-guide for additional guidance           
                                                                                
                                                                                
  Moderate        Prototype Pollution                                           
                                                                                
  Package         minimist                                                      
                                                                                
  Patched in      >=1.2.3                                                       
                                                                                
  Dependency of   @angular-devkit/build-angular [dev]                           
                                                                                
  Path            @angular-devkit/build-angular > webpack > watchpack >         
                  chokidar > fsevents > node-pre-gyp > mkdirp > minimist        
                                                                                
  More info       https://npmjs.com/advisories/1179                             
                                                                                
                                                                                
  Moderate        Prototype Pollution                                           
                                                                                
  Package         minimist                                                      
                                                                                
  Patched in      >=1.2.3                                                       
                                                                                
  Dependency of   @angular-devkit/build-angular [dev]                           
                                                                                
  Path            @angular-devkit/build-angular > webpack > watchpack >         
                  chokidar > fsevents > node-pre-gyp > tar > mkdirp > minimist  
                                                                                
  More info       https://npmjs.com/advisories/1179                             
                                                                                
                                                                                
  Moderate        Prototype Pollution                                           
                                                                                
  Package         minimist                                                      
                                                                                
  Patched in      >=1.2.3                                                       
                                                                                
  Dependency of   @angular-devkit/build-angular [dev]                           
                                                                                
  Path            @angular-devkit/build-angular > webpack > watchpack >         
                  chokidar > fsevents > node-pre-gyp > rc > minimist            
                                                                                
  More info       https://npmjs.com/advisories/1179                             
                                                                                
                                                                                
  Moderate        Prototype Pollution                                           
                                                                                
  Package         minimist                                                      
                                                                                
  Patched in      >=1.2.3                                                       
                                                                                
  Dependency of   @angular-devkit/build-angular [dev]                           
                                                                                
  Path            @angular-devkit/build-angular > webpack-dev-server >          
                  chokidar > fsevents > node-pre-gyp > mkdirp > minimist        
                                                                                
  More info       https://npmjs.com/advisories/1179                             
                                                                                
                                                                                
  Moderate        Prototype Pollution                                           
                                                                                
  Package         minimist                                                      
                                                                                
  Patched in      >=1.2.3                                                       
                                                                                
  Dependency of   @angular-devkit/build-angular [dev]                           
                                                                                
  Path            @angular-devkit/build-angular > webpack-dev-server >          
                  chokidar > fsevents > node-pre-gyp > tar > mkdirp > minimist  
                                                                                
  More info       https://npmjs.com/advisories/1179                             
                                                                                
                                                                                
  Moderate        Prototype Pollution                                           
                                                                                
  Package         minimist                                                      
                                                                                
  Patched in      >=1.2.3                                                       
                                                                                
  Dependency of   @angular-devkit/build-angular [dev]                           
                                                                                
  Path            @angular-devkit/build-angular > webpack-dev-server >          
                  chokidar > fsevents > node-pre-gyp > rc > minimist            
                                                                                
  More info       https://npmjs.com/advisories/1179                             
                                                                                
                                                                                
  Moderate        Prototype Pollution                                           
                                                                                
  Package         minimist                                                      
                                                                                
  Patched in      >=1.2.3                                                       
                                                                                
  Dependency of   karma [dev]                                                   
                                                                                
  Path            karma > optimist > minimist                                   
                                                                                
  More info       https://npmjs.com/advisories/1179                             
                                                                                
                                                                                
  Moderate        Prototype Pollution                                           
                                                                                
  Package         minimist                                                      
                                                                                
  Patched in      >=1.2.3                                                       
                                                                                
  Dependency of   protractor [dev]                                              
                                                                                
  Path            protractor > optimist > minimist                              
                                                                                
  More info       https://npmjs.com/advisories/1179                             
                                                                                
found 8 moderate severity vulnerabilities in 15582 scanned packages
  8 vulnerabilities require manual review. See the full report for details.

[SMSCodes07]

Hi guys, im having the same error, and really, i don't know how i can resolve it. The NPM documentacion about this situation, si soo short

https://www.npmjs.com/advisories/1179

[alastairtree]

I am working around this at the moment by choosing to up the audit level from low to moderate which then passes because the minimalist issue is at the low level, while I wait for the upstream fix.

so

$ npm audit --audit-level=moderate

instead of

$ npm audit

[SMSCodes07]

I am working around this at the moment by choosing to up the audit level from low to moderate which then passes because the minimalist issue is at the low level, while I wait for the upstream fix.

so

$ npm audit --audit-level=moderate

instead of

$ npm audit

Thanks for that @alastairtree i will try this, and then, i will let you know

[DomTripodi93]

if you add the following below devDependencies in package.json:

"resolutions": { "minimist": "^1.2.3" }

then delete node_modules and run
npx npm-force-resolutions && npm install
it will resolve the issue for current builds

[sulemankhann]

@DomTripodi93 what if we don't have browserlist installed? browserlist is required for this fix?

[DomTripodi93]

@DomTripodi93 what if we don't have browserlist installed? browserlist is required for this fix?

No, browserlist isn't relevant, it's just the default last item in React(which is experiencing the same problem)

I should have said below "devDependencies", but it doesn't technically matter where it is located, it's just best practice to make it the last value, as you will likely remove it after the dependency is updated in the affected packages. I will update above

[sonicfran86]

if you add the following below devDependencies in package.json:

"resolutions": { "minimist": "^1.2.3" }

then delete node_modules and run
npx npm-force-resolutions && npm install
it will resolve the issue for current builds

I'm getting a npm ERR! extraneous: minimist@1.2.3 after doing your solution steps and running npm ls minimist

[alan-agius4]

Karma version 5.0.0 and Protractor version 5.4.4 have been released and both of them contain the security fix.

@kyliau is liaising with the Karma team to see if it is possible to backport the fix in Karma version 4.

[tomvmac]

I am currently using Angular core 8.3.0 and I see two versions of minimist 0.0.8 and 1.2.0. How do I include different versions of minimist for each dependency. Say for example for mkdirp@0.5.1, I want to use minimist@0.2.1 and for rc@1.2.8 I want to use minimist@1.2.3?

Below is my current npm list minimist before any updates:

├─┬ karma@4.1.0
│ ├─┬ chokidar@2.1.8
│ │ └─┬ fsevents@1.2.9
│ │ └─┬ node-pre-gyp@0.12.0
│ │ ├─┬ mkdirp@0.5.1
│ │ │ └── minimist@0.0.8
│ │ └─┬ rc@1.2.8
│ │ └── minimist@1.2.0

[alan-agius4]

@tomvmac, you update karma to version ~5.0.0

[alan-agius4]

Closed via #17525

[angular-automatic-lock-bot]

This issue has been automatically locked due to inactivity.
Please file a new issue if you are encountering a similar or related problem.

Read more about our automatic conversation locking policy.

_{This action has been performed automatically by a bot.}