Open eagle-txec opened 12 months ago
Hey @eagle-txec, We're part of a startup called Seal Security that mitigates software vulnerabilities in older open source versions by backporting/creating standalone security patches - enabling more straightforward remediation in cases like this. We created an minimatch 3.0.4-sp1 that's vulnerability-free. As with all of our patches, it's open-source and available for free.
If relevant, check out our GitHub repo if you wish to learn more, or start using our app.
Please feel free to reach us at info@seal.security if you have any requests/questions.
The issue exists with 13.7.3 as well ---------------------+ | minimist | CVE-2021-44906 | curent version - 0.0.8 | fixed - 1.2.6, 0.2.4 | minimist: prototype pollution | -->avd.aquasec.com/nvd/cve-2021-44906 |
To reproduce report, use for example:
trivy image --ignore-unfixed --vuln-type library --severity CRITICAL cypress/included:13.11.0
From yarn why
yarn why minimist
yarn why v1.22.19
[1/4] 🤔 Why do we have the module "minimist"...?
[2/4] 🚚 Initialising dependency graph...
warning Resolution field "pretty-format@26.4.0" is incompatible with requested version "pretty-format@29.4.3"
warning Resolution field "pretty-format@26.4.0" is incompatible with requested version "pretty-format@^27.0.2"
warning Resolution field "vue-template-compiler@2.6.12" is incompatible with requested version "vue-template-compiler@^2.7.14"
[3/4] 🔍 Finding dependency...
[4/4] 🚡 Calculating file sizes...
=> Found "minimist@1.2.8"
info Has been hoisted to "minimist"
info Reasons this module exists
- "workspace-aggregator-199e8a63-af5b-4011-b122-b173c4ba507f" depends on it
- Specified in "devDependencies"
- Hoisted from "_project_#minimist"
- Hoisted from "_project_#@packages#electron#minimist"
- Hoisted from "_project_#@packages#server#minimist"
- Hoisted from "_project_#check-dependencies#minimist"
- Hoisted from "_project_#patch-package#minimist"
- Hoisted from "_project_#prebuild-install#minimist"
- Hoisted from "_project_#mkdirp#minimist"
- Hoisted from "_project_#@electron#fuses#minimist"
- Hoisted from "_project_#autobarrel#minimist"
- Hoisted from "_project_#http-server#minimist"
- Hoisted from "_project_#tsconfig-paths#minimist"
- Hoisted from "_project_#cypress#minimist"
- Hoisted from "_project_#http-server#ecstatic#minimist"
- Hoisted from "_project_#@tooling#v8-snapshot#cpr#minimist"
- Hoisted from "_project_#@cypress#webpack-preprocessor#dependency-check#minimist"
- Hoisted from "_project_#cypress#dependency-check#minimist"
- Hoisted from "_project_#loader-utils#json5#minimist"
- Hoisted from "_project_#tsconfig-paths#json5#minimist"
- Hoisted from "_project_#@packages#frontend-shared#patch-package#minimist"
- Hoisted from "_project_#prebuild-install#rc#minimist"
- Hoisted from "_project_#lerna#strong-log-transformer#minimist"
- Hoisted from "_project_#@packages#server#tsconfig-paths#minimist"
- Hoisted from "_project_#@packages#server#firefox-profile#minimist"
- Hoisted from "_project_#cypress#dependency-check#detective#minimist"
- Hoisted from "_project_#electron-builder#app-builder-lib#electron-osx-sign#minimist"
- Hoisted from "_project_#@packages#server#better-sqlite3#prebuild-install#minimist"
- Hoisted from "_project_#@packages#electron#electron-packager#@electron#osx-sign#minimist"
- Hoisted from "_project_#lerna#nx#tsconfig-paths#minimist"
- Hoisted from "_project_#semantic-release#@semantic-release#release-notes-generator#conventional-changelog-writer#handlebars#minimist"
info Disk size without dependencies: "28KB"
info Disk size with unique dependencies: "28KB"
info Disk size with transitive dependencies: "28KB"
info Number of shared dependencies: 0
=> Found "stop-only#minimist@1.2.0"
info This module exists because "_project_#stop-only" depends on it.
info Disk size without dependencies: "20KB"
info Disk size with unique dependencies: "20KB"
info Disk size with transitive dependencies: "20KB"
info Number of shared dependencies: 0
=> Found "snap-shot-core#minimist@0.0.8"
info Reasons this module exists
- "_project_#snap-shot-core#mkdirp" depends on it
- Hoisted from "_project_#snap-shot-core#mkdirp#minimist"
info Disk size without dependencies: "20KB"
info Disk size with unique dependencies: "20KB"
info Disk size with transitive dependencies: "20KB"
info Number of shared dependencies: 0
=> Found "mocha#minimist@0.0.8"
info Reasons this module exists
- "_project_#mocha#mkdirp" depends on it
- Hoisted from "_project_#mocha#mkdirp#minimist"
info Disk size without dependencies: "20KB"
info Disk size with unique dependencies: "20KB"
info Disk size with transitive dependencies: "20KB"
info Number of shared dependencies: 0
=> Found "deps-ok#minimist@1.2.0"
info This module exists because "_project_#@cypress#webpack-preprocessor#deps-ok" depends on it.
info Disk size without dependencies: "20KB"
info Disk size with unique dependencies: "20KB"
info Disk size with transitive dependencies: "20KB"
info Number of shared dependencies: 0
=> Found "bower-config#minimist@0.2.1"
info This module exists because "_project_#check-dependencies#bower-config" depends on it.
info Disk size without dependencies: "20KB"
info Disk size with unique dependencies: "20KB"
info Disk size with transitive dependencies: "20KB"
info Number of shared dependencies: 0
=> Found "mocha-7.0.1#minimist@0.0.8"
info Reasons this module exists
- "_project_#@packages#server#mocha-7.0.1#mkdirp" depends on it
- Hoisted from "_project_#@packages#server#mocha-7.0.1#mkdirp#minimist"
info Disk size without dependencies: "20KB"
info Disk size with unique dependencies: "20KB"
info Disk size with transitive dependencies: "20KB"
info Number of shared dependencies: 0
=> Found "@packages/example#minimist@0.0.8"
info Reasons this module exists
- "_project_#@packages#example#mocha#mkdirp" depends on it
- Hoisted from "_project_#@packages#example#mocha#mkdirp#minimist"
info Disk size without dependencies: "20KB"
info Disk size with unique dependencies: "20KB"
info Disk size with transitive dependencies: "20KB"
info Number of shared dependencies: 0
=> Found "cypress#mkdirp#minimist@0.0.8"
info This module exists because "_project_#cypress#mocha#mkdirp" depends on it.
info Disk size without dependencies: "20KB"
info Disk size with unique dependencies: "20KB"
info Disk size with transitive dependencies: "20KB"
info Number of shared dependencies: 0
=> Found "@packages/network#minimist@0.0.8"
info Reasons this module exists
- "_project_#@packages#network#mocha#mkdirp" depends on it
- Hoisted from "_project_#@packages#network#mocha#mkdirp#minimist"
info Disk size without dependencies: "20KB"
info Disk size with unique dependencies: "20KB"
info Disk size with transitive dependencies: "20KB"
info Number of shared dependencies: 0
=> Found "@packages/config#minimist@0.0.8"
info Reasons this module exists
- "_project_#@packages#config#mocha#mkdirp" depends on it
- Hoisted from "_project_#@packages#config#mocha#mkdirp#minimist"
info Disk size without dependencies: "20KB"
info Disk size with unique dependencies: "20KB"
info Disk size with transitive dependencies: "20KB"
info Number of shared dependencies: 0
=> Found "@packages/data-context#minimist@0.0.8"
info Reasons this module exists
- "_project_#@packages#data-context#mocha#mkdirp" depends on it
- Hoisted from "_project_#@packages#data-context#mocha#mkdirp#minimist"
info Disk size without dependencies: "20KB"
info Disk size with unique dependencies: "20KB"
info Disk size with transitive dependencies: "20KB"
info Number of shared dependencies: 0
=> Found "@packages/driver#minimist@0.0.8"
info Reasons this module exists
- "_project_#@packages#driver#mocha#mkdirp" depends on it
- Hoisted from "_project_#@packages#driver#mocha#mkdirp#minimist"
info Disk size without dependencies: "20KB"
info Disk size with unique dependencies: "20KB"
info Disk size with transitive dependencies: "20KB"
info Number of shared dependencies: 0
=> Found "@packages/errors#minimist@0.0.8"
info Reasons this module exists
- "_project_#@packages#errors#mocha#mkdirp" depends on it
- Hoisted from "_project_#@packages#errors#mocha#mkdirp#minimist"
info Disk size without dependencies: "20KB"
info Disk size with unique dependencies: "20KB"
info Disk size with transitive dependencies: "20KB"
info Number of shared dependencies: 0
=> Found "@packages/packherd-require#minimist@0.0.8"
info Reasons this module exists
- "_project_#@packages#packherd-require#mocha#mkdirp" depends on it
- Hoisted from "_project_#@packages#packherd-require#mocha#mkdirp#minimist"
info Disk size without dependencies: "20KB"
info Disk size with unique dependencies: "20KB"
info Disk size with transitive dependencies: "20KB"
info Number of shared dependencies: 0
=> Found "@packages/scaffold-config#minimist@0.0.8"
info Reasons this module exists
- "_project_#@packages#scaffold-config#mocha#mkdirp" depends on it
- Hoisted from "_project_#@packages#scaffold-config#mocha#mkdirp#minimist"
info Disk size without dependencies: "20KB"
info Disk size with unique dependencies: "20KB"
info Disk size with transitive dependencies: "20KB"
info Number of shared dependencies: 0
=> Found "@packages/telemetry#minimist@0.0.8"
info Reasons this module exists
- "_project_#@packages#telemetry#mocha#mkdirp" depends on it
- Hoisted from "_project_#@packages#telemetry#mocha#mkdirp#minimist"
info Disk size without dependencies: "20KB"
info Disk size with unique dependencies: "20KB"
info Disk size with transitive dependencies: "20KB"
info Number of shared dependencies: 0
=> Found "@packages/v8-snapshot-require#minimist@0.0.8"
info Reasons this module exists
- "_project_#@packages#v8-snapshot-require#mocha#mkdirp" depends on it
- Hoisted from "_project_#@packages#v8-snapshot-require#mocha#mkdirp#minimist"
info Disk size without dependencies: "20KB"
info Disk size with unique dependencies: "20KB"
info Disk size with transitive dependencies: "20KB"
info Number of shared dependencies: 0
=> Found "@tooling/electron-mksnapshot#minimist@0.0.8"
info Reasons this module exists
- "_project_#@tooling#electron-mksnapshot#mocha#mkdirp" depends on it
- Hoisted from "_project_#@tooling#electron-mksnapshot#mocha#mkdirp#minimist"
info Disk size without dependencies: "20KB"
info Disk size with unique dependencies: "20KB"
info Disk size with transitive dependencies: "20KB"
info Number of shared dependencies: 0
=> Found "@tooling/packherd#minimist@0.0.8"
info Reasons this module exists
- "_project_#@tooling#packherd#mocha#mkdirp" depends on it
- Hoisted from "_project_#@tooling#packherd#mocha#mkdirp#minimist"
info Disk size without dependencies: "20KB"
info Disk size with unique dependencies: "20KB"
info Disk size with transitive dependencies: "20KB"
info Number of shared dependencies: 0
=> Found "@tooling/v8-snapshot#minimist@0.0.8"
info Reasons this module exists
- "_project_#@tooling#v8-snapshot#mocha#mkdirp" depends on it
- Hoisted from "_project_#@tooling#v8-snapshot#mocha#mkdirp#minimist"
info Disk size without dependencies: "20KB"
info Disk size with unique dependencies: "20KB"
info Disk size with transitive dependencies: "20KB"
info Number of shared dependencies: 0
=> Found "@packages/server#mkdirp#minimist@0.0.8"
info This module exists because "_project_#@packages#server#mocha#mkdirp" depends on it.
info Disk size without dependencies: "20KB"
info Disk size with unique dependencies: "20KB"
info Disk size with transitive dependencies: "20KB"
info Number of shared dependencies: 0
=> Found "@tooling/system-tests#minimist@0.0.8"
info Reasons this module exists
- "_project_#@tooling#system-tests#mocha#mkdirp" depends on it
- Hoisted from "_project_#@tooling#system-tests#mocha#mkdirp#minimist"
info Disk size without dependencies: "20KB"
info Disk size with unique dependencies: "20KB"
info Disk size with transitive dependencies: "20KB"
info Number of shared dependencies: 0
=> Found "@packages/driver#multer#minimist@1.2.8"
info Reasons this module exists
- "_project_#@packages#driver#multer#mkdirp" depends on it
- Specified in "devDependencies"
- Hoisted from "_project_#@packages#driver#multer#mkdirp#minimist"
info Disk size without dependencies: "28KB"
info Disk size with unique dependencies: "28KB"
info Disk size with transitive dependencies: "28KB"
info Number of shared dependencies: 0
=> Found "optimist#minimist@0.0.8"
info This module exists because "_project_#@fellow#eslint-plugin-coffee#@fellow#coffeelint2#optimist" depends on it.
info Disk size without dependencies: "20KB"
info Disk size with unique dependencies: "20KB"
info Disk size with transitive dependencies: "20KB"
info Number of shared dependencies: 0
=> Found "resize-img#minimist@0.0.8"
info Reasons this module exists
- "_project_#@packages#icons#to-ico#resize-img#jimp#mkdirp" depends on it
- Hoisted from "_project_#@packages#icons#to-ico#resize-img#jimp#mkdirp#minimist"
info Disk size without dependencies: "20KB"
info Disk size with unique dependencies: "20KB"
info Disk size with transitive dependencies: "20KB"
info Number of shared dependencies: 0
✨ Done in 2.13s.
Hi, installed the latest cypress/included:13.13.0 and still critical security vulnerability
Command: RUN |6 NODE_VERSION=20.14.0 YARN_VERSION=1.22.22 CHROME_VERSION=126.0.6478.114-1 EDGE_VERSION=126.0.2592.61-1 FIREFOX_VERSION=127.0.1 CYPRESS_VERSION=13.13.0 /bin/sh -c node /opt/installScripts/cypress/install-cypress-version.js ${CYPRESS_VERSION} # buildkit
We're open to PRs to fix this. We have no reason to believe this critical vulnerability has any actual exposure with the way Cypress is executed.
We're open to PRs to fix this. We have no reason to believe this critical vulnerability has any actual exposure with the way Cypress is executed.
Ok, how about the other 3 critical? Will they be fixed or the same case as minimist? Or we need to open new issues?
@hjqgloria
The other issues have already been reported.
Current behavior
Installed version is 0.0.8
Desired behavior
Upgrade fix version is 1.2.6
Test code to reproduce
-
Cypress Version
13.3.3
Node version
16.20.2
Operating System
-
Debug Logs
Other
No response