Upgrade Dependency "minimist" to avoid prototype pollution security risk

vuejs / vue-cli

🛠️ webpack-based tooling for Vue.js Development

https://cli.vuejs.org/

MIT License

29.76k stars 6.33k forks source link

Upgrade Dependency "minimist" to avoid prototype pollution security risk #5285

Open MixMasterT opened 4 years ago

MixMasterT commented 4 years ago

Version

4.2.3

Reproduction link

n/a

Environment info

This issue is present in all normal usage environments.

Steps to reproduce

This issue can be easily found using npm tooling. I am not sure how to identify it using yarn. Basically, just run "npm audit" or "npm audit --fix". The minimist package is recognized to have a prototype pollution vulnerability and it is recommended to move up to version 1.2.3 or higher.

What is expected?

No security vulnerabilities

What is actually happening?

npm flags vue-cli as harboring a moderate risk (prototype pollution) through the "minimist" dependency.

I tried to fix this myself, but was unable to push my code up for a PR. It should be as simple as updating the line in package.json. However tests will need to be run to ensure that doing so does not introduce any other problems.

kaantureyyen commented 4 years ago

Yup, same problem

kaantureyyen commented 4 years ago

Same issue is also present for @vue/cli-plugin-babel and @vue/cli-plugin-eslint

bjkippax commented 4 years ago

Same issue present for the following;

@vue/cli-plugin-babel
@vue/cli-service
@vue/cli-plugin-eslint

https://npmjs.com/advisories/1179

dosstx commented 4 years ago

Same issue.

haoqunjiang commented 4 years ago

But the depended version is a caret range: "minimist": "^1.2.0". You should be able to fix it by cleaning up the cache, the lockfiles and then reinstalling.

dosstx commented 4 years ago

Can someone provide the exact steps on how to do this the right way?

kaantureyyen commented 4 years ago

Running npm audit, I can see that the problem is with the version of minimist that mkdirp uses. mkdirp is a sub dependency in all of the mentioned packages above.

haoqunjiang commented 4 years ago

@vue/cli-plugin-eslint:
- https://github.com/webpack-contrib/eslint-loader/issues/316
- https://github.com/viankakrisna/loader-fs-cache/issues/5
@vue/cli-plugin-unit-mocha, @vue/cli-plugin-e2e-cypress, chromedriver:
- https://github.com/maxogden/extract-zip/pull/85

I don't see how @vue/cli-service is affected.

The mocha and cypress ones are addressed in https://github.com/mochajs/mocha/pull/4204 https://github.com/cypress-io/cypress/pull/6726 But we can't upgrade now because they are only available in new major versions.

So please use the resolutions field in package.json for now.

dosstx commented 4 years ago

The above workaround did work for me like so:

package.json:

"scripts": {
    "preinstall": "npx npm-force-resolutions",
......
}
  "resolutions": {
    "minimist": "1.2.3",
    "mkdir": "0.5.3"
  }

I then ran npm install . I am no expert. If anyone has a better solution or any comments, let me know.