Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Upgrade Dependency "minimist" to avoid prototype pollution security risk #5285

Open
MixMasterT opened this issue Mar 17, 2020 · 9 comments
Open

Upgrade Dependency "minimist" to avoid prototype pollution security risk #5285

MixMasterT opened this issue Mar 17, 2020 · 9 comments
Labels
upstream

Comments

@MixMasterT
Copy link

Version

4.2.3

Reproduction link

n/a

Environment info

This issue is present in all normal usage environments.

Steps to reproduce

This issue can be easily found using npm tooling. I am not sure how to identify it using yarn. Basically, just run "npm audit" or "npm audit --fix". The minimist package is recognized to have a prototype pollution vulnerability and it is recommended to move up to version 1.2.3 or higher.

What is expected?

No security vulnerabilities

What is actually happening?

npm flags vue-cli as harboring a moderate risk (prototype pollution) through the "minimist" dependency.

I tried to fix this myself, but was unable to push my code up for a PR. It should be as simple as updating the line in package.json. However tests will need to be run to ensure that doing so does not introduce any other problems.
@kaantureyyen
Copy link

Yup, same problem

@kaantureyyen
Copy link

Same issue is also present for @vue/cli-plugin-babel and @vue/cli-plugin-eslint

@bjkippax
Copy link

Same issue present for the following;

  • @vue/cli-plugin-babel
  • @vue/cli-service
  • @vue/cli-plugin-eslint

https://npmjs.com/advisories/1179

@dosstx
Copy link

dosstx commented Mar 19, 2020

Same issue.

@sodatea
Copy link
Member

sodatea commented Mar 19, 2020

But the depended version is a caret range: "minimist": "^1.2.0". You should be able to fix it by cleaning up the cache, the lockfiles and then reinstalling.

@dosstx
Copy link

dosstx commented Mar 19, 2020

Can someone provide the exact steps on how to do this the right way?

@kaantureyyen
Copy link

kaantureyyen commented Mar 19, 2020
edited

Running npm audit, I can see that the problem is with the version of minimist that mkdirp uses. mkdirp is a sub dependency in all of the mentioned packages above.

@sodatea
Copy link
Member

sodatea commented Mar 19, 2020
edited

I don't see how @vue/cli-service is affected.

The mocha and cypress ones are addressed in mochajs/mocha#4204 cypress-io/cypress#6726
But we can't upgrade now because they are only available in new major versions.

So please use the resolutions field in package.json for now.

@dosstx
Copy link

dosstx commented Mar 19, 2020
edited

The above workaround did work for me like so:

package.json:

"scripts": {
    "preinstall": "npx npm-force-resolutions",
......
}
  "resolutions": {
    "minimist": "1.2.3",
    "mkdir": "0.5.3"
  }

I then ran npm install .
I am no expert. If anyone has a better solution or any comments, let me know.

This was referenced Mar 21, 2020
Closed
Closed
This was referenced Mar 30, 2020
Merged
Closed
garytyler added a commit to garytyler/seevr-web that referenced this issue Apr 6, 2020
@garytyler
frontend: Upgrade vue-cli plugins to 4.3.0, handle npm security advis…
195348c 
…ory with package.json resolutions

-Mentioned security advisory: https://www.npmjs.com/advisories/1179
-Fix for mentioned security advisory: vuejs/vue-cli#5285 (comment)
@Lissy93 Lissy93 mentioned this issue Jun 26, 2021
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
upstream
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@sodatea @dosstx @MixMasterT @bjkippax @kaantureyyen