Angular-cli: Update to minimist v1.2.3+
๐๐๐๐๐๐๐๐๐๐๐๐๐๐๐๐๐๐๐๐๐๐๐๐๐๐๐
Please read https://angular.io/guide/security#report-issues on how to disclose security related issues.
๐๐๐๐๐๐๐๐๐๐๐๐๐๐๐๐๐๐๐๐๐๐๐๐๐๐๐
npm audit command is reporting a new vulnerability in an angular/cli dev dependency. This does not appear critical but it does affect my company's internal tooling that requires passing npm audits.
https://www.npmjs.com/advisories/1179 - moderate vulnerability in minimist pre v1.2.3
ben-coble-sp
All 15 comments
+1 same here
braydonharris
on 17 Mar 2020
github reports both acorn and minimist
here's my yarn why
[kushal@ideapadflex-kushal ondotnetangularfrontend]$ yarn why acorn
yarn why v1.22.4
[1/4] Why do we have the module "acorn"...?
[2/4] Initialising dependency graph...
[3/4] Finding dependency...
[4/4] Calculating file sizes...
=> Found "[email protected]"
info Reasons this module exists
- "@angular-devkit#build-angular#webpack" depends on it
- Hoisted from "@angular-devkit#build-angular#webpack#acorn"
info Disk size without dependencies: "1.08MB"
info Disk size with unique dependencies: "1.08MB"
info Disk size with transitive dependencies: "1.08MB"
info Number of shared dependencies: 0
=> Found "rollup#[email protected]"
info This module exists because "@angular-devkit#build-angular#rollup" depends on it.
info Disk size without dependencies: "1.08MB"
info Disk size with unique dependencies: "1.08MB"
info Disk size with transitive dependencies: "1.08MB"
info Number of shared dependencies: 0
Done in 0.66s.
[kushal@ideapadflex-kushal ondotnetangularfrontend]$ yarn why minimist
yarn why v1.22.4
[1/4] Why do we have the module "minimist"...?
[2/4] Initialising dependency graph...
[3/4] Finding dependency...
[4/4] Calculating file sizes...
=> Found "[email protected]"
info Has been hoisted to "minimist"
info Reasons this module exists
- Hoisted from "json5#minimist"
- Hoisted from "@angular#compiler-cli#minimist"
- Hoisted from "protractor#blocking-proxy#minimist"
- Hoisted from "protractor#webdriver-manager#minimist"
- Hoisted from "@angular-devkit#build-angular#loader-utils#json5#minimist"
info Disk size without dependencies: "96KB"
info Disk size with unique dependencies: "96KB"
info Disk size with transitive dependencies: "96KB"
info Number of shared dependencies: 0
=> Found "mkdirp#[email protected]"
info This module exists because "cacache#mkdirp" depends on it.
info Disk size without dependencies: "72KB"
info Disk size with unique dependencies: "72KB"
info Disk size with transitive dependencies: "72KB"
info Number of shared dependencies: 0
=> Found "optimist#[email protected]"
info This module exists because "karma#optimist" depends on it.
info Disk size without dependencies: "80KB"
info Disk size with unique dependencies: "80KB"
info Disk size with transitive dependencies: "80KB"
info Number of shared dependencies: 0
Done in 0.65s.
Associated git commit https://github.com/ondotnet/angularfrontend/commit/9da071c0e2cbb6e1afc639425b19c0d344ad6bf3
9034725985
on 17 Mar 2020
Blocking as this needs to be fixed upstream by several direct and transitive dependencies.
npm audit
=== npm audit security report ===
Manual Review
Some vulnerabilities require your attention to resolve
Visit https://go.npm.me/audit-guide for additional guidance
Moderate Prototype Pollution
Package minimist
Patched in >=1.2.3
Dependency of @angular-devkit/build-angular [dev]
Path @angular-devkit/build-angular > webpack > watchpack >
chokidar > fsevents > node-pre-gyp > mkdirp > minimist
More info https://npmjs.com/advisories/1179
Moderate Prototype Pollution
Package minimist
Patched in >=1.2.3
Dependency of @angular-devkit/build-angular [dev]
Path @angular-devkit/build-angular > webpack > watchpack >
chokidar > fsevents > node-pre-gyp > tar > mkdirp > minimist
More info https://npmjs.com/advisories/1179
Moderate Prototype Pollution
Package minimist
Patched in >=1.2.3
Dependency of @angular-devkit/build-angular [dev]
Path @angular-devkit/build-angular > webpack > watchpack >
chokidar > fsevents > node-pre-gyp > rc > minimist
More info https://npmjs.com/advisories/1179
Moderate Prototype Pollution
Package minimist
Patched in >=1.2.3
Dependency of @angular-devkit/build-angular [dev]
Path @angular-devkit/build-angular > webpack-dev-server >
chokidar > fsevents > node-pre-gyp > mkdirp > minimist
More info https://npmjs.com/advisories/1179
Moderate Prototype Pollution
Package minimist
Patched in >=1.2.3
Dependency of @angular-devkit/build-angular [dev]
Path @angular-devkit/build-angular > webpack-dev-server >
chokidar > fsevents > node-pre-gyp > tar > mkdirp > minimist
More info https://npmjs.com/advisories/1179
Moderate Prototype Pollution
Package minimist
Patched in >=1.2.3
Dependency of @angular-devkit/build-angular [dev]
Path @angular-devkit/build-angular > webpack-dev-server >
chokidar > fsevents > node-pre-gyp > rc > minimist
More info https://npmjs.com/advisories/1179
Moderate Prototype Pollution
Package minimist
Patched in >=1.2.3
Dependency of karma [dev]
Path karma > optimist > minimist
More info https://npmjs.com/advisories/1179
Moderate Prototype Pollution
Package minimist
Patched in >=1.2.3
Dependency of protractor [dev]
Path protractor > optimist > minimist
More info https://npmjs.com/advisories/1179
found 8 moderate severity vulnerabilities in 15582 scanned packages
8 vulnerabilities require manual review. See the full report for details.
alan-agius4
on 18 Mar 2020
Hi guys, im having the same error, and really, i don't know how i can resolve it. The NPM documentacion about this situation, si soo short
SMSCodes07
on 20 Mar 2020
I am working around this at the moment by choosing to up the audit level from low to moderate which then passes because the minimalist issue is at the low level, while I wait for the upstream fix.
so
$ npm audit --audit-level=moderate
instead of
$ npm audit
alastairtree
on 20 Mar 2020
I am working around this at the moment by choosing to up the audit level from low to moderate which then passes because the minimalist issue is at the low level, while I wait for the upstream fix.
so
$ npm audit --audit-level=moderateinstead of
$ npm audit
Thanks for that @alastairtree i will try this, and then, i will let you know
SMSCodes07
on 20 Mar 2020
if you add the following below devDependencies in package.json:
"resolutions": {
"minimist": "^1.2.3"
}
then delete node_modules and run
npx npm-force-resolutions && npm install
it will resolve the issue for current builds
DomTripodi93
on 1 Apr 2020
@DomTripodi93 what if we don't have browserlist installed? browserlist is required for this fix?
sulemankhann
on 1 Apr 2020
@DomTripodi93 what if we don't have browserlist installed? browserlist is required for this fix?
No, browserlist isn't relevant, it's just the default last item in React(which is experiencing the same problem)
I should have said below "devDependencies", but it doesn't technically matter where it is located, it's just best practice to make it the last value, as you will likely remove it after the dependency is updated in the affected packages. I will update above
DomTripodi93
on 1 Apr 2020
if you add the following below devDependencies in package.json:
"resolutions": { "minimist": "^1.2.3" }then delete node_modules and run
npx npm-force-resolutions && npm install
it will resolve the issue for current builds
I'm getting a npm ERR! extraneous: [email protected] after doing your solution steps and running npm ls minimist
sonicfran86
on 17 Apr 2020
Karma version 5.0.0 and Protractor version 5.4.4 have been released and both of them contain the security fix.
@kyliau is liaising with the Karma team to see if it is possible to backport the fix in Karma version 4.
alan-agius4
on 17 Apr 2020
I am currently using Angular core 8.3.0 and I see two versions of minimist 0.0.8 and 1.2.0. How do I include different versions of minimist for each dependency. Say for example for [email protected], I want to use [email protected] and for [email protected] I want to use [email protected]?
Below is my current npm list minimist before any updates:
โโโฌ [email protected]
โ โโโฌ [email protected]
โ โ โโโฌ [email protected]
โ โ โโโฌ [email protected]
โ โ โโโฌ [email protected]
โ โ โ โโโ [email protected]
โ โ โโโฌ [email protected]
โ โ โโโ [email protected]
tomvmac
on 20 Apr 2020
@tomvmac, you update karma to version ~5.0.0
alan-agius4
on 22 Apr 2020
alan-agius4
on 22 Apr 2020
This issue has been automatically locked due to inactivity.
Please file a new issue if you are encountering a similar or related problem.
Read more about our automatic conversation locking policy.
_This action has been performed automatically by a bot._
![angular-automatic-lock-bot[bot] picture](https://avatars0.githubusercontent.com/in/40213?v=4&s=40)
angular-automatic-lock-bot[bot]
on 23 May 2020
Related issues
sysmat
ยท
3Comments
JanStureNielsen
ยท
3Comments
ericel
ยท
3Comments
NCC1701M
ยท
3Comments
jmurphzyo
ยท
3Comments
Most helpful comment
No, browserlist isn't relevant, it's just the default last item in React(which is experiencing the same problem)
I should have said below "devDependencies", but it doesn't technically matter where it is located, it's just best practice to make it the last value, as you will likely remove it after the dependency is updated in the affected packages. I will update above