search

cloudhead / node-static

rfc 2616 compliant HTTP static-file server module, with built-in caching.
MIT License
2.17k stars 245 forks source link

Replace optimist or otherwise avoid its vulnerability #218

Closed brettz9 closed 3 years ago

brettz9 commented 4 years ago

The dependency optimist depends on a vulnerable version of minimist (see https://npmjs.com/advisories/1179).

Despite having an issue and PR filed with optimist, since the last commit on optimist was 6 years ago, and since the package is deprecated (and it has also been awaiting a fix for a proper license specifier, making automated license audits problematic in the interim), it'd be really nice if you could drop the optimist dependency, perhaps using one of its suggested replacements (yargs, nomnom, or using minimist directly, though if the latter, I'd hope pegging against the maintained major bump).

(I personally like command-line-args, as one can use it with command-line-usage or my command-line-publish/command-line-basics tools to get documentation (both at the command line and as SVG, allowing embedding in a README) from a simple declarative schema.)

Thanks!

typehorror commented 4 years ago

@brettz9 You can enforce the right version of minimist if you use yarn by using the resolutions feature in your package.json file. I've successfully removed the vulnerability through this commit

Edited to point out that this solution will not work as of today if you use npm

brettz9 commented 4 years ago

@debrice: Yes, thank you, but not every project is using Yarn.

ghost commented 4 years ago

+1

dscham commented 4 years ago

Bump

Jahmilli commented 4 years ago

I might be mistaken but I found that installing npm-force-resolutions as a dev dependency and adding the following into the package.json

  "resolutions": {
    "minimist": "^1.2.5",
  },

as well as the following script into my package.json: "preinstall": "npx npm-force-resolutions" By then running npm run preinstall and then npm i it seemed to remove the audit issue around using minimist.

dscham commented 4 years ago

Looks like it's dead, last commit on master in 2018? Is there still somebody to merge? Then I maybe make a fork with a fix.

rfossella commented 3 years ago

Is installing npm-force-resolutions as a dev dependency still the only (recommended) solution to the optimist/minimist issue?

npm audit

Low             Prototype Pollution
Package         minimist
Patched in      >=0.2.1 <1.0.0 || >=1.2.3
Dependency of   optimist
Path            optimist > minimist
More info       https://npmjs.com/advisories/1179
brettz9 commented 3 years ago

Closed by #227.