Upgrade yargs to 16.0.0 to fix prototype pollution high vulnerability issue

[jjloneman]

🐛 Bug Report

I am unable to use react-scripts@4.0.1 for work due to a high vulnerability security issue with jest@26.6.3 pulling in yargs@15.4.1 (see https://snyk.io/test/npm/react-scripts/4.0.1)

Jest vulnerability report: https://snyk.io/test/npm/jest/26.6.3

Note: This also affects jest-circus@26.3.3 (https://snyk.io/test/npm/jest-circus/26.6.3)

To Reproduce

$ npx snyk test jest

Testing jest...

✗ High severity vulnerability found in y18n
  Description: Prototype Pollution
  Info: https://snyk.io/vuln/SNYK-JS-Y18N-1021887
  Introduced through: jest-cli@26.6.3, @jest/core@26.6.3
  From: jest-cli@26.6.3 > yargs@15.4.1 > y18n@4.0.0
  From: @jest/core@26.6.3 > jest-runtime@26.6.3 > yargs@15.4.1 > y18n@4.0.0
  From: @jest/core@26.6.3 > jest-runner@26.6.3 > jest-runtime@26.6.3 > yargs@15.4.1 > y18n@4.0.0
  and 15 more...



Organization:      jjloneman
Package manager:   npm
Open source:       yes
Project path:      jest

Tested jest for known vulnerabilities, found 1 vulnerability, 18 vulnerable paths.

Expected behavior

No vulnerabilities.

Link to repl or repo (highly encouraged)

jest vulnerability output from https://snyk.io/test/npm/jest/26.6.3:

Prototype Pollution

Vulnerable module: y18n

• Introduced through: jest-cli@26.6.3 and @jest/core@26.6.3

Detailed paths

• Introduced through: jest@26.6.3 › jest-cli@26.6.3 › yargs@15.4.1 › y18n@4.0.0
• Introduced through: jest@26.6.3 › @jest/core@26.6.3 › jest-runtime@26.6.3 › yargs@15.4.1 › y18n@4.0.0
• Introduced through: jest@26.6.3 › @jest/core@26.6.3 › jest-runner@26.6.3 › jest-runtime@26.6.3 › yargs@15.4.1 › y18n@4.0.0
• Introduced through: jest@26.6.3 › jest-cli@26.6.3 › @jest/core@26.6.3 › jest-runtime@26.6.3 › yargs@15.4.1 › y18n@4.0.0
• Introduced through: jest@26.6.3 › @jest/core@26.6.3 › jest-config@26.6.3 › @jest/test-sequencer@26.6.3 › jest-runtime@26.6.3 › yargs@15.4.1 › y18n@4.0.0
• Introduced through: jest@26.6.3 › jest-cli@26.6.3 › jest-config@26.6.3 › @jest/test-sequencer@26.6.3 › jest-runtime@26.6.3 › yargs@15.4.1 › y18n@4.0.0
• Introduced through: jest@26.6.3 › @jest/core@26.6.3 › jest-config@26.6.3 › jest-jasmine2@26.6.3 › jest-runtime@26.6.3 › yargs@15.4.1 › y18n@4.0.0
• Introduced through: jest@26.6.3 › jest-cli@26.6.3 › jest-config@26.6.3 › jest-jasmine2@26.6.3 › jest-runtime@26.6.3 › yargs@15.4.1 › y18n@4.0.0
• Introduced through: jest@26.6.3 › jest-cli@26.6.3 › @jest/core@26.6.3 › jest-runner@26.6.3 › jest-runtime@26.6.3 › yargs@15.4.1 › y18n@4.0.0
• Introduced through: jest@26.6.3 › @jest/core@26.6.3 › jest-config@26.6.3 › @jest/test-sequencer@26.6.3 › jest-runner@26.6.3 › jest-runtime@26.6.3 › yargs@15.4.1 › y18n@4.0.0
• Introduced through: jest@26.6.3 › jest-cli@26.6.3 › jest-config@26.6.3 › @jest/test-sequencer@26.6.3 › jest-runner@26.6.3 › jest-runtime@26.6.3 › yargs@15.4.1 › y18n@4.0.0
• Introduced through: jest@26.6.3 › jest-cli@26.6.3 › @jest/core@26.6.3 › jest-config@26.6.3 › @jest/test-sequencer@26.6.3 › jest-runtime@26.6.3 › yargs@15.4.1 › y18n@4.0.0
• Introduced through: jest@26.6.3 › @jest/core@26.6.3 › jest-runner@26.6.3 › jest-config@26.6.3 › @jest/test-sequencer@26.6.3 › jest-runtime@26.6.3 › yargs@15.4.1 › y18n@4.0.0
• Introduced through: jest@26.6.3 › jest-cli@26.6.3 › @jest/core@26.6.3 › jest-config@26.6.3 › jest-jasmine2@26.6.3 › jest-runtime@26.6.3 › yargs@15.4.1 › y18n@4.0.0
• Introduced through: jest@26.6.3 › @jest/core@26.6.3 › jest-runner@26.6.3 › jest-config@26.6.3 › jest-jasmine2@26.6.3 › jest-runtime@26.6.3 › yargs@15.4.1 › y18n@4.0.0
• Introduced through: jest@26.6.3 › jest-cli@26.6.3 › @jest/core@26.6.3 › jest-config@26.6.3 › @jest/test-sequencer@26.6.3 › jest-runner@26.6.3 › jest-runtime@26.6.3 › yargs@15.4.1 › y18n@4.0.0
• Introduced through: jest@26.6.3 › jest-cli@26.6.3 › @jest/core@26.6.3 › jest-runner@26.6.3 › jest-config@26.6.3 › @jest/test-sequencer@26.6.3 › jest-runtime@26.6.3 › yargs@15.4.1 › y18n@4.0.0
• Introduced through: jest@26.6.3 › jest-cli@26.6.3 › @jest/core@26.6.3 › jest-runner@26.6.3 › jest-config@26.6.3 › jest-jasmine2@26.6.3 › jest-runtime@26.6.3 › yargs@15.4.1 › y18n@4.0.0

jest-circus vulnerability output from https://snyk.io/test/npm/jest-circus/26.6.3:

Prototype Pollution

Vulnerable module: y18n

• Introduced through: jest-runtime@26.6.3 and jest-runner@26.6.3

Detailed paths

• Introduced through: jest-circus@26.6.3 › jest-runtime@26.6.3 › yargs@15.4.1 › y18n@4.0.0
• Introduced through: jest-circus@26.6.3 › jest-runner@26.6.3 › jest-runtime@26.6.3 › yargs@15.4.1 › y18n@4.0.0
• Introduced through: jest-circus@26.6.3 › jest-runner@26.6.3 › jest-config@26.6.3 › @jest/test-sequencer@26.6.3 › jest-runtime@26.6.3 › yargs@15.4.1 › y18n@4.0.0
• Introduced through: jest-circus@26.6.3 › jest-runner@26.6.3 › jest-config@26.6.3 › jest-jasmine2@26.6.3 › jest-runtime@26.6.3 › yargs@15.4.1 › y18n@4.0.0

envinfo

$ npx envinfo --preset jest

  System:
    OS: macOS 10.15.7
    CPU: (4) x64 Intel(R) Core(TM) i5-4258U CPU @ 2.40GHz
  Binaries:
    Node: 15.2.1 - /usr/local/bin/node
    npm: 7.0.12 - /usr/local/bin/npm

[SimenB]

It's a breaking change to upgrade (see the revert in #10599). Jest 27 will have the update to v16

[github-actions]

This issue has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.
Please note this issue tracker is not a help forum. We recommend using StackOverflow or our discord channel for questions.