Low Severity Vulnerability : Prototype Pollution in minimist.

[naveen106]

• Versions:
• nodemon -v: 2.0.15
• node: 14.15.4
• Operating system/terminal environment: Windows 10/ Vs code terminal (git bash in vs code)
• Using Docker? What image: none
• Command you ran: npm audit

Expected behaviour

found 0 vulnerabilities

Actual behaviour

found 2 vulnerabilities // I installed hbs (handlebars) package, after installing it, it directly showed two high vulnerabilities (one in hbs minimist, and one in nodemon minimist.

Steps to reproduce

---

If applicable, please append the --dump flag on your command and include the output here ensuring to remove any sensitive/personal details or tokens.

[remy]

https://snyk.io/test/npm/nodemon#SNYK-JS-MINIMIST-2429795

I've updated the title to reflect a more accurate representation - I don't particularly rate github's advisories at all.

There's a ticket that's open wanting to remove update-notifier entirely: #1961

[naveen106]

I apologize, I am unable to understand clearly (the links you provided). I am still in my learning phase, I saw vulnerability, and I reported it. Can you tell if this issue vulnerability can be fixed?

Update : I tested by installing nodemon in a completely new and empty folder (done everything, initialized npm, package.json, made index.js etc), and it still shows same error that it found one vulnerability. So, it's probably not the error from my side.

[SDCore]

Not sure if it's directly related to this issue, but whenever I have Nodemon installed, I get "8 high severity vulnerabilities", compared to when it's not installed and I have 0.

Node 16.14.2, NPM 8.5.0, Nodemon 2.0.15 on Mac OS 11.6.

[naveen106]

Not sure if it's directly related to this issue, but whenever I have Nodemon installed, I get "8 high severity vulnerabilities", compared to when it's not installed and I have 0.
It shows the same minimist vulnerability for hbs (handlebar) package too. Hbs package shows 7 vulnerabilities without package.json and this same single one with it included in directory. nodemon shows it (one vulnerability) with and without package.json file

[remy]

The reality is that there is an exceptionally slim chance of this vuln affecting you - iirc it can only be exploited through nodemon if you're using someone else's required version of nodemon (which you've not reported - i.e. you're probably running nodemon directly).

I suspect you'll see a minor bump in update-notifier or one of the downstream deps - and an npm install will automatically jump over the vulnerable package.

All the same, I still want to remove update-notifier at some point soon.

[remy]

As mentioned, a bump in your local deps (or just removing nodemon and re-installing) will clear the vuln: https://snyk.io/test/npm/nodemon

Close this issue - I think the update-notifier is tracked in another issue (don't have the ticket to hand though).

[remy]

For others on this thread, it's always worth completely removing your node_modules and running npm install (over npm ci) in this specific case (I'm not 100% sure, but I think with yarn it's a straight forward yarn to do a clean reinstall). This will ensure you're getting the latest requested nodemon deps, and should clear you out of the range where there's a potential vulnerability in some deep dependency.

[naveen106]

thanks