vulnerability in gulp 4.0.2

[jdneo]

The minimist needs to upgrade to >= 1.2.2

├─┬ gulp@4.0.2
│ └─┬ glob-watcher@5.0.3
│ └─┬ chokidar@2.1.6
│ └─┬ fsevents@1.2.9
│ └─┬ node-pre-gyp@0.12.0
│ ├─┬ mkdirp@0.5.1
│ │ └── minimist@0.0.8
│ └─┬ rc@1.2.8
│ └── minimist@1.2.0

Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7598

[tschallacka]

Related: isaacs/node-mkdirp#11

related: dominictarr/rc#114

[gregg-cbs]

and kind-of is causing a ton of audit fails.

Path

gulp > gulp-cli > matchdep > micromatch > extglob > define-property > is-descriptor > kind-of   

[yocontra]

Once mkdirp updates, the dependency will be pulled in automatically since we use semver - there isn't really anything actionable for us to do about this. Run npm update after the relevant packages fix themselves.

FWIW these npm audit warnings have no attack vector and I have always had an issue with how NPM/Snyk reports these "vulnerabilities". We get reports for these all the time and 0 of them have ever had any real exploitability. I used to be a pentester for a living + have published a handful of CVEs so I take the security of my packages extremely seriously.

[phated]

Your npm audit gives no context and you probably need to look at using a better tool. Like contra said, these don't effect us. In fact, minimist would only be used if you were directly running those dependencies as a command line tool, which you aren't when you are using gulp.