Jest: Npm audit failing for jest 24.8.0 with severity high on 26k+ dependencies

Created on 12 Jul 2019  路  14Comments  路  Source: facebook/jest

馃悰 Bug Report

Npm audit failing for jest 24.8.0 with severity high on 26k+ dependencies

To Reproduce

mkdir new-project && cd new-project
npm init -y
npm install --save [email protected]
npm audit

Should produce the following output:

+ [email protected]
added 547 packages from 362 contributors and audited 873711 packages in 15.659s
found 12675 high severity vulnerabilities
  run `npm audit fix` to fix them, or `npm audit` for details

Also see attached npm audit report in JSON format

馃崟npm_audit_output.json.zip

Expected behavior

N/D

Link to repl or repo (highly encouraged)

N/D

Run npx envinfo --preset jest

Paste the results here:

  System:
    OS: macOS High Sierra 10.13.6
    CPU: (8) x64 Intel(R) Core(TM) i7-7700HQ CPU @ 2.80GHz
  Binaries:
    Node: 12.4.0 - ~/n/bin/node
    npm: 6.9.2 - ~/n/bin/npm
  npmPackages:
    jest: ^24.8.0 => 24.8.0
Upstream Bug
Source
picture lmammino
👍37

Most helpful comment

npm audit fix fixes the problem

picture lucaurso on 14 Jul 2019
👍5 👎1

All 14 comments

Same issue here

randytorres picture randytorres on 12 Jul 2019
👎4

It looks like the offending package down the dependency tree is set-value.

I ran this command npm audit --json | npm-audit-html and got the following report attached.
npm-audit.html.zip

ghost picture ghost on 12 Jul 2019

Seems unpatched versions of mixin-deep and set-value are the source of most (all?) of these vulnerabilities.

mixin-deep advisory here https://www.npmjs.com/advisories/1013

Please update to version 2.0.1 or later, a critical bug was fixed in that version.

set-value advisory here https://www.npmjs.com/advisories/1012

Please update to version 3.0.1 or later, a critical bug was fixed in that version.

dgowrie picture dgowrie on 12 Jul 2019

BUMP

tinoqq picture tinoqq on 12 Jul 2019

Would it be possible to upgrade micromatch to version ^4? Seems this version removes a dependency on snapdragon which has mixin-deep in its chain. Seems there are a lot of jest-* packages that have micromatch 3 as a dependency though.

Edit: Might not be able to since micromatch 4 requires node 8.

nzacca picture nzacca on 12 Jul 2019
👍1

Upgrading micromatch to v4 (breaking) is planned for Jest 25, for performance reasons as well

jeysal picture jeysal on 12 Jul 2019
👍4 😕31

Same here, set-value has been reported as vulnerable since past friday

dacevedo12 picture dacevedo12 on 12 Jul 2019
👎1

@jeysal, is there an estimate release date for v25?

lmammino picture lmammino on 12 Jul 2019

@lmammino There'll be at least one more minor release soon before the phase of landing breaking changes for 25 starts

jeysal picture jeysal on 12 Jul 2019

npm audit fix fixes the problem

lucaurso picture lucaurso on 14 Jul 2019
👍5 👎1

Same for me - npm audit fix fixed the problem

omeraha picture omeraha on 15 Jul 2019

If npm audit fix fixes the problem, it means all fixed packages are within semver range of Jest and its dependencies. So I think we can close this.

(Happy to take PRs increasing the minimum version of Jest's deps if it helps pull in upstream fixes when we _do_ make a release)

SimenB picture SimenB on 15 Jul 2019
2

Great to see the community moved so fast on this! Thanks to everyone involved

lmammino picture lmammino on 15 Jul 2019
🚀1

(Happy to take PRs increasing the minimum version of Jest's deps if it helps pull in upstream fixes when we _do_ make a release)

Both mixin-deep and set-value originates from braces which comes in through micromatch. So not much we can bump on our side beyond micromatch 4 (which is a breaking change, as mentioned above) to bubble up fixed versions.

SimenB picture SimenB on 16 Jul 2019
Was this page helpful?
0 / 5 - 0 ratings

Related issues

stephenlautier picture stephenlautier  路  3Comments
mmcgahan picture mmcgahan  路  3Comments
hramos picture hramos  路  3Comments
emmby picture emmby  路  3Comments
ianp picture ianp  路  3Comments