Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Prototype Pollution in minimist | upstream @angular-devkit/schematics-cli v13.3.0 #1579

Closed
2 of 4 tasks
Shinigami92 opened this issue Mar 22, 2022 · 2 comments
Closed
2 of 4 tasks

Prototype Pollution in minimist | upstream @angular-devkit/schematics-cli v13.3.0 #1579

Shinigami92 opened this issue Mar 22, 2022 · 2 comments
Labels
bug needs triage

Comments

@Shinigami92
Copy link

Is there an existing issue for this?

  • I have searched the existing issues

Current behavior

Running pnpm audit in my project results in

┌─────────────────────┬───────────────────────────────────────────────────┐
 high                 Prototype Pollution in minimist                   
├─────────────────────┼───────────────────────────────────────────────────┤
 Package              minimist                                          
├─────────────────────┼───────────────────────────────────────────────────┤
 Vulnerable versions  <=1.2.5                                           
├─────────────────────┼───────────────────────────────────────────────────┤
 Patched versions     <0.0.0                                            
├─────────────────────┼───────────────────────────────────────────────────┤
 More info            https://github.com/advisories/GHSA-xvch-5gv4-984h │
└─────────────────────┴───────────────────────────────────────────────────┘
1 vulnerabilities found
Severity: 1 high

Minimum reproduction code

really needed?

Steps to reproduce

  1. pnpm add -D @nestjs/cli (8.2.4)
  2. pnpm audit

Expected behavior

No vulnerabilities that are reported as >= high.
As this is a devDependencies our CI/CD is blocked until this is not reported anymore, at least until it is lower as high.

Package version

8.2.4

NestJS version

8.4.2

Node.js version

v16.14.0

In which operating systems have you tested?

  • macOS
  • Windows
  • Linux

Other

> pnpm why minimist
Legend: production dependency, optional only, dev only

dependencies:
@nestjs/apollo 10.0.7
├─┬ @nestjs/core 8.4.2 peer
 └─┬ @nestjs/platform-express 8.4.2 peer
   └─┬ multer 1.4.4
     └─┬ mkdirp 0.5.5
       └── minimist 1.2.6
└─┬ @nestjs/graphql 10.0.7 peer
  └─┬ @nestjs/core 8.4.2 peer
    └─┬ @nestjs/platform-express 8.4.2 peer
      └─┬ multer 1.4.4
        └─┬ mkdirp 0.5.5
          └── minimist 1.2.6
@nestjs/core 8.4.2
└─┬ @nestjs/platform-express 8.4.2 peer
  └─┬ multer 1.4.4
    └─┬ mkdirp 0.5.5
      └── minimist 1.2.6
@nestjs/graphql 10.0.7
└─┬ @nestjs/core 8.4.2 peer
  └─┬ @nestjs/platform-express 8.4.2 peer
    └─┬ multer 1.4.4
      └─┬ mkdirp 0.5.5
        └── minimist 1.2.6
@nestjs/platform-express 8.4.2
└─┬ multer 1.4.4
  └─┬ mkdirp 0.5.5
    └── minimist 1.2.6

devDependencies:
@nestjs/cli 8.2.4
├─┬ @angular-devkit/schematics-cli 13.3.0
 └── minimist 1.2.5
├─┬ tsconfig-paths 3.14.0
 ├─┬ json5 1.0.1
  └── minimist 1.2.6
 └── minimist 1.2.6
└─┬ tsconfig-paths-webpack-plugin 3.5.2
  └─┬ tsconfig-paths 3.14.0
    ├─┬ json5 1.0.1
     └── minimist 1.2.6
    └── minimist 1.2.6
@nestjs/testing 8.4.2
├─┬ @nestjs/core 8.4.2 peer
 └─┬ @nestjs/platform-express 8.4.2 peer
   └─┬ multer 1.4.4
     └─┬ mkdirp 0.5.5
       └── minimist 1.2.6
└─┬ @nestjs/platform-express 8.4.2 peer
  └─┬ multer 1.4.4
    └─┬ mkdirp 0.5.5
      └── minimist 1.2.6
tsconfig-paths 3.14.0
├─┬ json5 1.0.1
 └── minimist 1.2.6
└── minimist 1.2.6
@Shinigami92
Copy link
Author

I know this is an upstream vulnerability, but I hope you can communicate somehow to the angular team

@kamilmysliwiec
Copy link
Member

There's not much we can do on our side. Please, report this issue in the @angular-devkit/schematics-cli repo

@nestjs nestjs locked and limited conversation to collaborators Mar 22, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
bug needs triage
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@Shinigami92 @kamilmysliwiec