Create-react-app: 302 moderate severity vulnerabilities in npm audit due to minimist package
Describe the bug
I have prepared new project with create-react-app. and then I have tried to run npm audit.
in that I got following output
```
Moderate Prototype Pollution
Package minimist
Patched in >=1.2.3
Dependency of react-scripts
Path react-scripts > webpack-dev-server > chokidar > fsevents >
node-pre-gyp > rc > minimist
More info https://npmjs.com/advisories/1179
found 302 moderate severity vulnerabilities in 918863 scanned packages
302 vulnerabilities require manual review. See the full report for details.
```
Environment
package.json
"dependencies": {
"@testing-library/jest-dom": "^4.2.4",
"@testing-library/react": "^9.3.2",
"@testing-library/user-event": "^7.1.2",
"react": "^16.13.0",
"react-dom": "^16.13.0",
"react-scripts": "3.4.0"
},
System npm and node version:
npm -v
6.14.2
node -v
v12.12.0
Expected behavior
It should use suggested updated version of package minimist.
sphingu
All 19 comments
Same issue here, except mine says 583 low severity vulnerabilities.
But I'm just curious about something from looking at the path. Does this mean the rc package dependency needs to be updated? Or the react-scripts dependency? Or something else entirely?
mdodge-ecgrow
on 18 Mar 2020
Stopped by to say I'm also having the same issue with 583 low severity vulnerabilities.
briannakeune
on 18 Mar 2020
@briannakeune @mdodge-ecgrow If you have 583 then you likely need to update react-scripts to 3.4.0.
Change your package.json files to "react-scripts": "^3.4.0", and then run npm install
I still have the 302 low-security vulnerabilities though.
kbarnesweb
on 18 Mar 2020
I think this is a webpack issue. I don't use react-scripts and I see similar warnings about minimist. I tried updating webpack to no avail.
embeddedt
on 19 Mar 2020
8663
phoqe
on 19 Mar 2020
@kbarnesweb My current package.json says "react-scripts": "3.4.0". Would the missing caret affect that?
mdodge-ecgrow
on 19 Mar 2020
After recommended fix - "Change your package.json files to "react-scripts": "^3.4.0", and then run npm install" - I still have 583 low severity vulnerabilities
ddd-37
on 19 Mar 2020
@ddd-37 The carrot shouldn't be the reason it works or not in this case. I tried updating jest and it fixed 300 of the 302 issues. If you want to recreate this:
Run
npm i jest@latest
Then, delete package-lock.json and node_modules folder.
Reinstall
npm install
kbarnesweb
on 19 Mar 2020
@ddd-37 I believe the final 2 issues are due to mkdirp still using an old version of minimist. I'll post here if I find a fix.
kbarnesweb
on 19 Mar 2020
Can confirm.
With react-scripts and node-sass, I got a total of 283 low severity vulnerabilities and it's all minimist, which seems to be a dependency of mkdirp in all cases. Mkdirp is using an old version of minimist.
"mkdirp": {
"version": "0.5.1",
"resolved": "https://registry.npmjs.org/mkdirp/-/mkdirp-0.5.1.tgz",
"integrity": "sha1-MAV0OOrGz3+MR2fzhkjWaX11yQM=",
"requires": {
"minimist": "0.0.8"
},
Seems like a fix is underway, though.
KerimG
on 19 Mar 2020
It appears like they've closed the issue. Does that mean it's done? The only resolution they gave at the end only applies to Yarn users and requires the user to manually do something. What about NPM users? And shouldn't this be a fix that is automatic and just happens when updating to the latest packages?
mdodge-ecgrow
on 19 Mar 2020
Also having this issue. In my case, i just created a new project and i have 2 "Prototype Pollution" low severity vulnerabilities. They are both due the package "minimist", which are dependency of "react-scripts".
They both point to https://www.npmjs.com/advisories/1179 for more info
jwandekoken
on 21 Mar 2020
I ran into the same issue, although I'm using my own React boilerplate w/ Babel and Webpack, not create-react-app. Turns out the chokidar package was using an older version of minimist (and was likely outdated itself). Running npm install chokidar updated chokidar to the latest version that uses a current version of minimist.
dayvista
on 21 Mar 2020
This appears to be fixed in ^3.4.1
install react-scripts@latest to solve this
rossjs
on 31 Mar 2020
I still have it, even in 3.4.1, with yarn audit
a-tonchev
on 3 Apr 2020
Solution:
For npm users:
npm install minimist --save-dev
eg: (minimist version: 1.2.5)Add Resolution key adjacent to dependency key into package.json file
{
"resolutions": {
"minimist": "^1.2.5"
}
}Add below line inside script key into package.json
example:
"scripts": {
"preinstall": "npx npm-force-resolutions"
}Remove node_modules, and then run command: npm install.
That's it. :)
amit14apr
on 6 Apr 2020
I am also still getting this issue after upgrading to react-scripts 3.4.1. I've temporarily used @amit14apr's solution above, but it would be nice if it could be fixed at source.
Has this issue been incorrectly closed, or are we missing some required step to make it work?
EJCFox
on 8 Apr 2020
I still have it, even in 3.4.1, with yarn audit
After reinstalling node modules and yarn lock, everything works fine now. Thanks ;)
a-tonchev
on 9 Apr 2020
- Upgrade
react-scriptsto3.4.1inpackage.json - Remove
yarn.lockfile - Perform a clean install with
yarn install
To see if it is fixed, run npm ls minimist. It should be something like this:
alioguzhan
on 10 Apr 2020
Related issues
DaveLindberg
路
3Comments
onelson
路
3Comments
alleroux
路
3Comments
Aranir
路
3Comments
dualcnhq
路
3Comments
Most helpful comment
It appears like they've closed the issue. Does that mean it's done? The only resolution they gave at the end only applies to Yarn users and requires the user to manually do something. What about NPM users? And shouldn't this be a fix that is automatic and just happens when updating to the latest packages?