Upgrade ESLint dependencies to fix "high severity security vulnerabilities"

[phoqe]

Is your proposal related to a problem?

When creating a new app with the default template it starts with two high severity security vulnerabilities in two of ESLints dependencies: acorn and minimist.

The releases 1.8.3 and lower of svjsl (JSLib-npm) are vulnerable, but only if installed in a developer environment. A patch has been released (v1.8.4) which fixes these vulnerabilities.

Identifiers:
CVE-2020-7598
SNYK-JS-ACORN-559469

Describe the solution you'd like

Upgrade minimist to version 1.2.2 or later.
Upgrade acorn to version 7.1.1 or later.

Describe alternatives you've considered

N/A

Additional context

[phoqe]

#8656

[ashylen]

These answers cover only part of the problem, what about minimist dependency?

[phoqe]

@ashylen AFAIK there is no automated security fix for minimist out yet.

[azedine-batouche]

npm i minimist

[Leired7]

Hi,

npm i minimist doesn't take away my vulnerability... : ( Is there any other way to perform the manual review?

Thank you

[weigruf]

I tried with npm-force-resolutions, to manually enforce the version of minimist to 1.2.3, that fixes it but it looks like it breaks webpack of other npm-scripts (e.g: when running Jest tests).

npm i minimist & react-scripts": "^3.4.0 didn't help either.

[onpaws]

Yarn users should be able to work around this using by adding the following to package.json:

"resolutions": {
    "minimist": "^1.2.2"
  },

At least for my case this satisfied GitHub's automated security bot.

[weigruf]

With npm I tried "resolutions":` { "minimist": "^1.2.5" },
and the following npm-script: "preinstall": "npx npm-force-resolutions" but as mentioned earlier it broke webpack of other npm-scripts (e.g: when running Jest tests).

[phoqe]

If anyone finds a working fix, please create a pull request.

[weigruf]

A temporary solution.

Adding:

• "minimist": "^1.2.5" in the devDependencies
• "resolutions": { "minimist": "^1.2.5" }
• "preinstall": "npx npm-force-resolutions" (npm-script)

in the package.json and running npm i fixed it for me temporarily.

Of course, you will need to test your affected app(s) (there is a npm ERR! invalid: minimist@1.2.5 error for the mkdirp@0.5.1).

[tonix-tuft]

I also get the minimist vulnerability warning as of today:

$ npm audit
                                                                                
                       === npm audit security report ===                        
                                                                                
┌──────────────────────────────────────────────────────────────────────────────┐
│                                Manual Review                                 │
│            Some vulnerabilities require your attention to resolve            │
│                                                                              │
│         Visit https://go.npm.me/audit-guide for additional guidance          │
└──────────────────────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low           │ Prototype Pollution                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ minimist                                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=0.2.1 <1.0.0 || >=1.2.3                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ @babel/cli [dev]                                             │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ @babel/cli > chokidar > fsevents > node-pre-gyp > mkdirp >   │
│               │ minimist                                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/1179                            │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low           │ Prototype Pollution                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ minimist                                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=0.2.1 <1.0.0 || >=1.2.3                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ webpack [dev]                                                │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ webpack > watchpack > chokidar > fsevents > node-pre-gyp >   │
│               │ mkdirp > minimist                                            │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/1179                            │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low           │ Prototype Pollution                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ minimist                                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=0.2.1 <1.0.0 || >=1.2.3                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ @babel/cli [dev]                                             │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ @babel/cli > chokidar > fsevents > node-pre-gyp > tar >      │
│               │ mkdirp > minimist                                            │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/1179                            │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low           │ Prototype Pollution                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ minimist                                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=0.2.1 <1.0.0 || >=1.2.3                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ webpack [dev]                                                │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ webpack > watchpack > chokidar > fsevents > node-pre-gyp >   │
│               │ tar > mkdirp > minimist                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/1179                            │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low           │ Prototype Pollution                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ minimist                                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=0.2.1 <1.0.0 || >=1.2.3                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ @babel/cli [dev]                                             │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ @babel/cli > chokidar > fsevents > node-pre-gyp > rc >       │
│               │ minimist                                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/1179                            │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low           │ Prototype Pollution                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ minimist                                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=0.2.1 <1.0.0 || >=1.2.3                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ webpack [dev]                                                │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ webpack > watchpack > chokidar > fsevents > node-pre-gyp >   │
│               │ rc > minimist                                                │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/1179                            │
└───────────────┴──────────────────────────────────────────────────────────────┘
found 6 low severity vulnerabilities in 10258 scanned packages
  6 vulnerabilities require manual review. See the full report for details.

$ npm list minimist
my-project@1.2.3 /Users/my-user/repositories/my-project
├─┬ @babel/cli@7.8.4
│ └─┬ chokidar@2.1.8
│   └─┬ fsevents@1.2.11
│     └─┬ node-pre-gyp@0.14.0
│       ├─┬ mkdirp@0.5.1
│       │ └── minimist@0.0.8 
│       └─┬ rc@1.2.8
│         └── minimist@1.2.0 
├─┬ @babel/core@7.9.0
│ └─┬ json5@2.1.2
│   └── minimist@1.2.5  deduped
├─┬ babel-loader@8.1.0
│ ├─┬ loader-utils@1.4.0
│ │ └─┬ json5@1.0.1
│ │   └── minimist@1.2.5  deduped
│ └─┬ mkdirp@0.5.3
│   └── minimist@1.2.5  deduped
├── minimist@1.2.5 
└─┬ webpack-cli@3.3.11
  └─┬ loader-utils@1.2.3
    └─┬ json5@1.0.1
      └── minimist@1.2.5  deduped

[michael-reeves]

The acorn issue appears to come from jest@24.9.0. It is nested down in jsdom, which appears have been upgraded as of jest@25.2.3

[Tawfeekamr]

You need to locate where minimalist used and update the package.json inside node_modules folder, Then the error gone!

The problem is there are some of my modules using minimalist! all node packages using another package and have their own package.json.

I fixed the issue by:

npm audit

then I see the result (for example yargs-parser package):

I locate the path in CMD and update package.json for yargs-parser inside the node modules folder and update the patch of the module then inside the folder I run: npm install; Then the error gone!

[tombrowndev]

Are there any updates? Is there an automated way to fix this yet with npm audit fix?

[AndresHMosqueda]

How can this be fixed?

I tried by deleting node/modules and package-lock.json and do a fresh npm install but I have the same issue, any feedback is really appreciated.

[gaearon]

There was never any real vulnerability here, but this appears solved regardless so I'm closing.