Skip to content

Replace optimist or otherwise avoid its vulnerability #218

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
brettz9 opened this issue Mar 18, 2020 · 8 comments
Closed

Replace optimist or otherwise avoid its vulnerability #218

brettz9 opened this issue Mar 18, 2020 · 8 comments

Comments

@brettz9
Copy link
Collaborator

brettz9 commented Mar 18, 2020
edited
Loading

The dependency optimist depends on a vulnerable version of minimist (see https://npmjs.com/advisories/1179).

Despite having an issue and PR filed with optimist, since the last commit on optimist was 6 years ago, and since the package is deprecated (and it has also been awaiting a fix for a proper license specifier, making automated license audits problematic in the interim), it'd be really nice if you could drop the optimist dependency, perhaps using one of its suggested replacements (yargs, nomnom, or using minimist directly, though if the latter, I'd hope pegging against the maintained major bump).

(I personally like command-line-args, as one can use it with command-line-usage or my command-line-publish/command-line-basics tools to get documentation (both at the command line and as SVG, allowing embedding in a README) from a simple declarative schema.)

Thanks!
@typehorror
Copy link

typehorror commented Apr 25, 2020
edited
Loading

@brettz9 You can enforce the right version of minimist if you use yarn by using the resolutions feature in your package.json file. I've successfully removed the vulnerability through this commit

Edited to point out that this solution will not work as of today if you use npm

@brettz9
Copy link
Collaborator Author

brettz9 commented Apr 25, 2020

@Debrice: Yes, thank you, but not every project is using Yarn.

@ghost
Copy link

ghost commented May 9, 2020

+1

@dscham
Copy link

dscham commented May 22, 2020

Bump

@Jahmilli
Copy link

Jahmilli commented Sep 4, 2020
edited
Loading

I might be mistaken but I found that installing npm-force-resolutions as a dev dependency and adding the following into the package.json

  "resolutions": {
    "minimist": "^1.2.5",
  },

as well as the following script into my package.json: "preinstall": "npx npm-force-resolutions"
By then running npm run preinstall and then npm i it seemed to remove the audit issue around using minimist.

@dscham
Copy link

dscham commented Sep 5, 2020

Looks like it's dead, last commit on master in 2018? Is there still somebody to merge? Then I maybe make a fork with a fix.

ronnix added a commit to Delegation-numerique-en-sante/mesconseilscovid that referenced this issue Sep 28, 2020
@ronnix
Tech: remplace node-static par serve-static pour les tests navigateur
2e4ef1f 
Le paquet node-static n’est plus maintenu: cloudhead/node-static#218
@ronnix ronnix mentioned this issue Sep 28, 2020
Merged
@rfossella
Copy link

Is installing npm-force-resolutions as a dev dependency still the only (recommended) solution to the optimist/minimist issue?

npm audit

Low             Prototype Pollution
  Package         minimist
  Patched in      >=0.2.1 <1.0.0 || >=1.2.3
  Dependency of   optimist
  Path            optimist > minimist
  More info       https://npmjs.com/advisories/1179

@brettz9
Copy link
Collaborator Author

brettz9 commented May 21, 2021

Closed by #227.

@brettz9 brettz9 closed this as completed May 21, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@brettz9 @typehorror @rfossella @dscham @Jahmilli