please update minimist due to prototype pollution (CVE-2020-7598)

[OZZlE]

• Operating System: Affects all
• Node Version: v12.4.0
• NPM Version: 6.9.0
• webpack Version: 4.42.0
• eslint-loader Version: 3.0.3

Expected Behavior

npm audit reports no vulnerabilities after installing this module

Actual Behavior

┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate      │ Prototype Pollution                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ minimist                                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=0.2.1 <1.0.0 || >=1.2.3                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ eslint-loader [dev]                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ eslint-loader > loader-fs-cache > mkdirp > minimist          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/1179                            │
└───────────────┴──────────────────────────────────────────────────────────────┘

How Do We Reproduce?

npm i eslint-loader@latest npm audit

[neokeld]

Related to this issue in loader-fs-cache : https://github.com/viankakrisna/loader-fs-cache/issues/5

[neokeld]

I've publish a fork of https://www.npmjs.com/package/loader-fs-cache (repo https://github.com/viankakrisna/loader-fs-cache) to fix this issue here : https://www.npmjs.com/package/create-fs-cache (repo https://github.com/neokeld/create-fs-cache) @webmaster128 has published a pull request to the original lib loader-fs-cache and i hope it will be merged soon by @viankakrisna But if it is needed i will maintain my fork.

[neokeld]

@viankakrisna has published a new version (1.0.3) of loader-fs-cache with the fix.

[vilbergs]

I forked to see if this was an easy fix. Seems that the vulnerability is bubbling up from standard-version.

I assume there's no direct action to be taken here.

[neokeld]

Indeed it is also coming from standard-version,

|---------------|--------------------------------------------------------------|
| Low           | Prototype Pollution                                          |
|---------------|--------------------------------------------------------------|
| Package       | minimist                                                     |
|---------------|--------------------------------------------------------------|
| Patched in    | >=0.2.1 <1.0.0 || >=1.2.3                                    |
|---------------|--------------------------------------------------------------|
| Dependency of | standard-version [dev]                                       |
|---------------|--------------------------------------------------------------|
| Path          | standard-version > conventional-changelog >                  |
|               | conventional-changelog-core > conventional-changelog-writer  |
|               | > handlebars > optimist > minimist                           |
|---------------|--------------------------------------------------------------|
| More info     | https://npmjs.com/advisories/1179                            |
|---------------|--------------------------------------------------------------|

There is an ongoing pull request on handlebars to fix this vuln : https://github.com/wycats/handlebars.js/pull/1662

[OZZlE]

It loks like @neokeld committed a fix but I don't see any new release version.. I took the work time to revisit this again now that I saw it was 'fixed' but it doesn't seem to be.. I installed latest..

[ricardogobbosouza]

@OZZlE I haven't launched yet

[ricardogobbosouza]

@OZZlE v3.0.4