minimist security issue

foreversd / forever

A simple CLI tool for ensuring that a given script runs continuously (i.e. forever)

http://github.com/foreverjs/forever

MIT License

13.88k stars 944 forks source link

minimist security issue #1072

Open mgol opened 4 years ago

mgol commented 4 years ago

GitHub reports a security advisory of all users of minimist <1.2.2: https://github.com/advisories/GHSA-7fhm-mqm4-2wp7

forever is depending on the deprecated optimist package: https://www.npmjs.com/package/optimist. That package depends on minimist ~0.0.1.

The solution is to switch to a recent minimist directly or to yargs or a similar package.

yetzt commented 4 years ago

the best solution would be @substack fixing the dependency in optimist by the press of one button https://github.com/substack/node-optimist/issues/152

kibertoad commented 4 years ago

I'll look into replacing optimist, as that library is dead

kibertoad commented 4 years ago

Replacing optimist will take some time that I don't currently have, unfortunately; if anyone would volunteer to make a PR, that would be appreciated greatly.

Meanwhile I've pinged @substack wrt to lending a hand to fix security issue on the optimist side, hopefully that works out as a stopgap solution.

Ratstail91 commented 4 years ago

Hey, I replaced optimist with yargs, which seems like a decent drop-in replacement. Hopefully #1093 resolves this.

It passes all the tests, so it certainly should.

hc-12 commented 4 years ago

@Ratstail91 it seems to be a partial fix as there are nested dependencies that still relies on minimist.

    {
          "id": 1179,
          "path": "forever>flatiron>broadway>nconf>optimist>minimist",
          "dev": true,
          "optional": false,
          "bundled": false
        },
        {
          "id": 1179,
          "path": "forever>forever-monitor>broadway>nconf>optimist>minimist",
          "dev": true,
          "optional": false,
          "bundled": false
        },
        {
          "id": 1179,
          "path": "forever>flatiron>optimist>minimist",
          "dev": true,
          "optional": false,
          "bundled": false
        }

kibertoad commented 4 years ago

@hc-12 Aren't all of them devDependencies?

hc-12 commented 4 years ago

@hc-12 Aren't all of them devDependencies?

This is the audit report from npm with the latest forever version 3.0.1. It did remove an entry with latest patch which leaves us 3 remaining with minimist vulnerabilities.

Ratstail91 commented 4 years ago

Ah crap. I guess it's up to me to fix these lol.

Flatiron (a https framework?) Is currently out of date and ignored (the latest commit was 5 years ago)
Broadway (part of flatiron) is seemingly ignored too (with the last commit from 2 years ago)

Is there potentially a way to remove these dependencies entirely? What do they do?

Let's focus on flatiron first, since that will remove two of the issues.

Edit: Edited the link the broadway.

Ratstail91 commented 4 years ago

Actually, I'm sorry, but after going through the code, it seems forever heavily depends on flatiron. There's nothing I can do without rewriting it, or rewriting flatiron, and I don't get paid enough for that.

For those who come after, I wish you the best of luck.

fool-derek commented 3 years ago

Any progress for this issue?

Ratstail91 commented 3 years ago

Any progress for this issue?

No, sorry. This project us deprecated. I'd recommend using pm2.

fool-derek commented 3 years ago

Any progress for this issue?

No, sorry. This project us deprecated. I'd recommend using pm2.

Thanks for you quick answer!