Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Node.js minimist CVE #1490

Closed
steven-supersolid opened this issue Apr 23, 2020 · 1 comment · Fixed by #1529
Closed

Node.js minimist CVE #1490

steven-supersolid opened this issue Apr 23, 2020 · 1 comment · Fixed by #1529
Assignees
@steven-supersolid
Labels
area/security Issues pertaining to security kind/bug These are bugs.
Milestone
1.6.0

Comments

@steven-supersolid
Copy link
Collaborator

What happened:
There is a CVE for the Node.js minimist package that is a transitive dependency
https://snyk.io/vuln/SNYK-JS-MINIMIST-559764
https://snyk.io/blog/prototype-pollution-minimist/
https://www.npmjs.com/package/minimist

What you expected to happen:
We should recheck dependencies and apply a fix if available
npm outdated...
npm audit -fix

Amusingly the package is used for parsing command line arguments, however we don't use it
@steven-supersolid steven-supersolid added the kind/bug These are bugs. label Apr 23, 2020
@markmandel markmandel added the area/security Issues pertaining to security label Apr 24, 2020
@steven-supersolid
Copy link
Collaborator Author

/assign steven-supersolid

@steven-supersolid steven-supersolid mentioned this issue May 8, 2020
Merged
@markmandel markmandel added this to the 1.6.0 milestone May 12, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@steven-supersolid steven-supersolid

Labels
area/security Issues pertaining to security kind/bug These are bugs.
Projects
None yet
Milestone
1.6.0
Development

Successfully merging a pull request may close this issue.

Switch Node.js SDK grpc dependency to grpc-js supersolid/agones
2 participants
@markmandel @steven-supersolid