Babel-loader: minimist < 1.2.3 showing in npm audit

Created on 20 Mar 2020  路  8Comments  路  Source: babel/babel-loader

Installed babel-loader 8.1.0 today, still seeing this from npm list:
Screen Shot 2020-03-20 at 1 22 30 PM

Npm vulnerability: https://www.npmjs.com/advisories/1179

Most helpful comment

It shouldn't be needed. There is a reason if almost everyone uses ^ in their dependencies: it's to automatically get updates :man_shrugging:

All 8 comments

@createthis loader-utils has a json5@^1.0.1 dep, which has a minimist@^1.2.0 dep... you can try removing the minimist entry in your lockfile to grab the latest.

@existentialism I did rm package-lock.json && npm install && npm list. It's still the same result.

Looks like updating dep to loader-utils 2.0.0 would resolve the situation as it would pull in [email protected]. However, that's a breaking change so users can't do it from package.json.

@createthis clearing the audit warning definitely doesn't require loader-utils@2, this repo itself uses dep and doesn't have the warning!

Instead of killing the whole lockfile, maybe try removing just the [email protected] entry and running npm i?

Or try npm --depth 9999 update minimist

Adding "minimist": "^1.2.3", to package.json solves the problem, it's just less than ideal.

It shouldn't be needed. There is a reason if almost everyone uses ^ in their dependencies: it's to automatically get updates :man_shrugging:

if you add the following below browserlist in package.json:

"resolutions": { "minimist": "^1.2.3" }

then delete node_modules and run
npx npm-force-resolutions && npm install
it will resolve the issue

@existentialism can be closed, because it is fixed a long time ago, need regenerate lock file

Was this page helpful?
0 / 5 - 0 ratings