Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Prototype Pollution in minimist | @angular-devkit/schematics-cli v13.3.0 #22872

Closed
Shinigami92 opened this issue Mar 22, 2022 · 5 comments
Closed

Comments

@Shinigami92
Copy link

nestjs/nest-cli#1579

Blocking CI/CD in company project using @nestjs/cli

Prototype Pollution in minimist

> pnpm audit
┌─────────────────────┬───────────────────────────────────────────────────┐
 high                 Prototype Pollution in minimist                   
├─────────────────────┼───────────────────────────────────────────────────┤
 Package              minimist                                          
├─────────────────────┼───────────────────────────────────────────────────┤
 Vulnerable versions  <=1.2.5                                           
├─────────────────────┼───────────────────────────────────────────────────┤
 Patched versions     <0.0.0                                            
├─────────────────────┼───────────────────────────────────────────────────┤
 More info            https://github.com/advisories/GHSA-xvch-5gv4-984h │
└─────────────────────┴───────────────────────────────────────────────────┘
1 vulnerabilities found
Severity: 1 high
> pnpm why minimist
Legend: production dependency, optional only, dev only

dependencies:
@nestjs/apollo 10.0.7
├─┬ @nestjs/core 8.4.2 peer
 └─┬ @nestjs/platform-express 8.4.2 peer
   └─┬ multer 1.4.4
     └─┬ mkdirp 0.5.5
       └── minimist 1.2.6
└─┬ @nestjs/graphql 10.0.7 peer
  └─┬ @nestjs/core 8.4.2 peer
    └─┬ @nestjs/platform-express 8.4.2 peer
      └─┬ multer 1.4.4
        └─┬ mkdirp 0.5.5
          └── minimist 1.2.6
@nestjs/core 8.4.2
└─┬ @nestjs/platform-express 8.4.2 peer
  └─┬ multer 1.4.4
    └─┬ mkdirp 0.5.5
      └── minimist 1.2.6
@nestjs/graphql 10.0.7
└─┬ @nestjs/core 8.4.2 peer
  └─┬ @nestjs/platform-express 8.4.2 peer
    └─┬ multer 1.4.4
      └─┬ mkdirp 0.5.5
        └── minimist 1.2.6
@nestjs/platform-express 8.4.2
└─┬ multer 1.4.4
  └─┬ mkdirp 0.5.5
    └── minimist 1.2.6

devDependencies:
@nestjs/cli 8.2.4
├─┬ @angular-devkit/schematics-cli 13.3.0
 └── minimist 1.2.5
├─┬ tsconfig-paths 3.14.0
 ├─┬ json5 1.0.1
  └── minimist 1.2.6
 └── minimist 1.2.6
└─┬ tsconfig-paths-webpack-plugin 3.5.2
  └─┬ tsconfig-paths 3.14.0
    ├─┬ json5 1.0.1
     └── minimist 1.2.6
    └── minimist 1.2.6
@nestjs/testing 8.4.2
├─┬ @nestjs/core 8.4.2 peer
 └─┬ @nestjs/platform-express 8.4.2 peer
   └─┬ multer 1.4.4
     └─┬ mkdirp 0.5.5
       └── minimist 1.2.6
└─┬ @nestjs/platform-express 8.4.2 peer
  └─┬ multer 1.4.4
    └─┬ mkdirp 0.5.5
      └── minimist 1.2.6
tsconfig-paths 3.14.0
├─┬ json5 1.0.1
 └── minimist 1.2.6
└── minimist 1.2.6
@Shinigami92
Copy link
Author

Temporary workaround => add this to package.json:

  // ...
  "pnpm": {
    "overrides": {
      "minimist@<=1.2.5": "1.2.6"
    }
  }

So at least this unblocks my CI

@alan-agius4
Copy link
Collaborator

alan-agius4 commented Mar 22, 2022

It appears that 1.2.6 is still vulnerable https://snyk.io/test/npm/minimist/1.2.6

That said, it is important to point out that we don't expect the CLI to run in production environments where this vulnerability can be exploited.

@zackdotcomputer
Copy link

Filed with them: https://github.com/substack/minimist/issues/168

Agreed that this isn't a must-fix-right-away issue because its in a CLI, my main concern over on my project is that someone runs npm audit fix --force and winds up downgrading our use of @nestjs/cli (which depends on this repo) back a few years.

@alan-agius4
Copy link
Collaborator

Closed via #22873

@angular-automatic-lock-bot
Copy link

This issue has been automatically locked due to inactivity.
Please file a new issue if you are encountering a similar or related problem.

Read more about our automatic conversation locking policy.

This action has been performed automatically by a bot.

@angular-automatic-lock-bot angular-automatic-lock-bot bot locked and limited conversation to collaborators Apr 26, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
Development

No branches or pull requests

3 participants