Create-react-app: Upgrade ESLint dependencies to fix "high severity security vulnerabilities"
Is your proposal related to a problem?
When creating a new app with the default template it starts with two high severity security vulnerabilities in two of ESLints dependencies: acorn and minimist.
The releases 1.8.3 and lower of svjsl (JSLib-npm) are vulnerable, but only if installed in a developer environment. A patch has been released (v1.8.4) which fixes these vulnerabilities.
Identifiers:
CVE-2020-7598
SNYK-JS-ACORN-559469
Describe the solution you'd like
Upgrade minimist to version 1.2.2 or later.
Upgrade acorn to version 7.1.1 or later.
Describe alternatives you've considered
N/A
Additional context
phoqe
👍28
👀2
All 16 comments
phoqe
on 16 Mar 2020
These answers cover only part of the problem, what about minimist dependency?
ashylen
on 18 Mar 2020
@ashylen AFAIK there is no automated security fix for minimist out yet.
phoqe
on 18 Mar 2020
npm i minimist
batouche-dev
on 18 Mar 2020
Hi,
npm i minimist doesn't take away my vulnerability... : ( Is there any other way to perform the manual review?
Thank you
Leired7
on 18 Mar 2020
👍2
I tried with npm-force-resolutions, to manually enforce the version of minimist to 1.2.3, that fixes it but it looks like it breaks webpack of other npm-scripts (e.g: when running Jest tests).
npm i minimist & react-scripts": "^3.4.0 didn't help either.
weigruf
on 19 Mar 2020
Yarn users should be able to work around this using by adding the following to package.json:
"resolutions": {
"minimist": "^1.2.2"
},
At least for my case this satisfied GitHub's automated security bot.
onpaws
on 19 Mar 2020
With npm I tried "resolutions":` {
"minimist": "^1.2.5"
},
and the following npm-script: "preinstall": "npx npm-force-resolutions" but as mentioned earlier it broke webpack of other npm-scripts (e.g: when running Jest tests).
weigruf
on 19 Mar 2020
If anyone finds a working fix, please create a pull request.
phoqe
on 19 Mar 2020
👍14
A temporary solution.
Adding:
"minimist": "^1.2.5"in the devDependencies"resolutions": { "minimist": "^1.2.5" }"preinstall": "npx npm-force-resolutions"(npm-script)
in the package.json and running npm i fixed it for me temporarily.
Of course, you will need to test your affected app(s) (there is a npm ERR! invalid: [email protected] error for the [email protected]).
weigruf
on 19 Mar 2020
👍1
I also get the minimist vulnerability warning as of today:
$ npm audit
=== npm audit security report ===
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ Manual Review โ
โ Some vulnerabilities require your attention to resolve โ
โ โ
โ Visit https://go.npm.me/audit-guide for additional guidance โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โโโโโโโโโโโโโโโโโฌโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ Low โ Prototype Pollution โ
โโโโโโโโโโโโโโโโโผโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโค
โ Package โ minimist โ
โโโโโโโโโโโโโโโโโผโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโค
โ Patched in โ >=0.2.1 <1.0.0 || >=1.2.3 โ
โโโโโโโโโโโโโโโโโผโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโค
โ Dependency of โ @babel/cli [dev] โ
โโโโโโโโโโโโโโโโโผโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโค
โ Path โ @babel/cli > chokidar > fsevents > node-pre-gyp > mkdirp > โ
โ โ minimist โ
โโโโโโโโโโโโโโโโโผโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโค
โ More info โ https://npmjs.com/advisories/1179 โ
โโโโโโโโโโโโโโโโโดโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โโโโโโโโโโโโโโโโโฌโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ Low โ Prototype Pollution โ
โโโโโโโโโโโโโโโโโผโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโค
โ Package โ minimist โ
โโโโโโโโโโโโโโโโโผโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโค
โ Patched in โ >=0.2.1 <1.0.0 || >=1.2.3 โ
โโโโโโโโโโโโโโโโโผโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโค
โ Dependency of โ webpack [dev] โ
โโโโโโโโโโโโโโโโโผโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโค
โ Path โ webpack > watchpack > chokidar > fsevents > node-pre-gyp > โ
โ โ mkdirp > minimist โ
โโโโโโโโโโโโโโโโโผโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโค
โ More info โ https://npmjs.com/advisories/1179 โ
โโโโโโโโโโโโโโโโโดโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โโโโโโโโโโโโโโโโโฌโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ Low โ Prototype Pollution โ
โโโโโโโโโโโโโโโโโผโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโค
โ Package โ minimist โ
โโโโโโโโโโโโโโโโโผโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโค
โ Patched in โ >=0.2.1 <1.0.0 || >=1.2.3 โ
โโโโโโโโโโโโโโโโโผโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโค
โ Dependency of โ @babel/cli [dev] โ
โโโโโโโโโโโโโโโโโผโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโค
โ Path โ @babel/cli > chokidar > fsevents > node-pre-gyp > tar > โ
โ โ mkdirp > minimist โ
โโโโโโโโโโโโโโโโโผโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโค
โ More info โ https://npmjs.com/advisories/1179 โ
โโโโโโโโโโโโโโโโโดโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โโโโโโโโโโโโโโโโโฌโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ Low โ Prototype Pollution โ
โโโโโโโโโโโโโโโโโผโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโค
โ Package โ minimist โ
โโโโโโโโโโโโโโโโโผโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโค
โ Patched in โ >=0.2.1 <1.0.0 || >=1.2.3 โ
โโโโโโโโโโโโโโโโโผโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโค
โ Dependency of โ webpack [dev] โ
โโโโโโโโโโโโโโโโโผโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโค
โ Path โ webpack > watchpack > chokidar > fsevents > node-pre-gyp > โ
โ โ tar > mkdirp > minimist โ
โโโโโโโโโโโโโโโโโผโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโค
โ More info โ https://npmjs.com/advisories/1179 โ
โโโโโโโโโโโโโโโโโดโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โโโโโโโโโโโโโโโโโฌโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ Low โ Prototype Pollution โ
โโโโโโโโโโโโโโโโโผโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโค
โ Package โ minimist โ
โโโโโโโโโโโโโโโโโผโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโค
โ Patched in โ >=0.2.1 <1.0.0 || >=1.2.3 โ
โโโโโโโโโโโโโโโโโผโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโค
โ Dependency of โ @babel/cli [dev] โ
โโโโโโโโโโโโโโโโโผโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโค
โ Path โ @babel/cli > chokidar > fsevents > node-pre-gyp > rc > โ
โ โ minimist โ
โโโโโโโโโโโโโโโโโผโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโค
โ More info โ https://npmjs.com/advisories/1179 โ
โโโโโโโโโโโโโโโโโดโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โโโโโโโโโโโโโโโโโฌโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ Low โ Prototype Pollution โ
โโโโโโโโโโโโโโโโโผโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโค
โ Package โ minimist โ
โโโโโโโโโโโโโโโโโผโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโค
โ Patched in โ >=0.2.1 <1.0.0 || >=1.2.3 โ
โโโโโโโโโโโโโโโโโผโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโค
โ Dependency of โ webpack [dev] โ
โโโโโโโโโโโโโโโโโผโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโค
โ Path โ webpack > watchpack > chokidar > fsevents > node-pre-gyp > โ
โ โ rc > minimist โ
โโโโโโโโโโโโโโโโโผโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโค
โ More info โ https://npmjs.com/advisories/1179 โ
โโโโโโโโโโโโโโโโโดโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
found 6 low severity vulnerabilities in 10258 scanned packages
6 vulnerabilities require manual review. See the full report for details.
$ npm list minimist
[email protected] /Users/my-user/repositories/my-project
โโโฌ @babel/[email protected]
โ โโโฌ [email protected]
โ โโโฌ [email protected]
โ โโโฌ [email protected]
โ โโโฌ [email protected]
โ โ โโโ [email protected]
โ โโโฌ [email protected]
โ โโโ [email protected]
โโโฌ @babel/[email protected]
โ โโโฌ [email protected]
โ โโโ [email protected] deduped
โโโฌ [email protected]
โ โโโฌ [email protected]
โ โ โโโฌ [email protected]
โ โ โโโ [email protected] deduped
โ โโโฌ [email protected]
โ โโโ [email protected] deduped
โโโ [email protected]
โโโฌ [email protected]
โโโฌ [email protected]
โโโฌ [email protected]
โโโ [email protected] deduped
tonix-tuft
on 22 Mar 2020
The acorn issue appears to come from [email protected]. It is nested down in jsdom, which appears have been upgraded as of [email protected]
michael-reeves
on 27 Mar 2020
You need to locate where minimalist used and update the package.json inside node_modules folder, Then the error gone!
The problem is there are some of my modules using minimalist! all node packages using another package and have their own package.json.
I fixed the issue by:
npm audit
then I see the result (for example yargs-parser package):
I locate the path in CMD and update package.json for yargs-parser inside the node modules folder and update the patch of the module then inside the folder I run: npm install; Then the error gone!
Tawfeekamr
on 3 Jun 2020
👎1
Are there any updates? Is there an automated way to fix this yet with npm audit fix?
tombrowndev
on 30 Jun 2020
How can this be fixed?
I tried by deleting node/modules and package-lock.json and do a fresh npm install but I have the same issue, any feedback is really appreciated.
AndresHMosqueda
on 6 Aug 2020
cc @vigomesbr
jimmyandrade
on 7 Aug 2020
👎1
Was this page helpful?
0 / 5 - 0 ratings
Related issues
rdamian3
ยท
3Comments
jnachtigall
ยท
3Comments
Evan-GK
ยท
3Comments
stopachka
ยท
3Comments
xgqfrms-GitHub
ยท
3Comments
Most helpful comment
If anyone finds a working fix, please create a pull request.