Jest: Jest warns about a security vulnerability in minimist package (dependency)

Created on 18 Mar 2020 · 14Comments · Source: facebook/jest

🐛 Bug Report

To Reproduce

Steps to reproduce the behavior:
run npm audit with jest latest version installed

Expected behavior

npm does not report any security vulnerabilities when jest is defined in package.json.

Achievable if minimist is upgraded to >=1.2.3

Link to repl or repo (highly encouraged)

envinfo

"jest": { "testEnvironment": "node", "transform": { "^.+\\.tsx?$": "ts-jest" }, "testRegex": "(/__tests__/.*|(\\.|/)(spec))\\.(tsx?)$", "collectCoverage": true, "coverageThreshold": { "global": { "branches": 100, "functions": 100, "lines": 100, "statements": 100 } }, "coverageReporters": [ "text-summary", "html" ], "collectCoverageFrom": [ "src/**/*.{ts,tsx}", "!**/node_modules/**" ], "reporters": [ "default" ], "moduleFileExtensions": [ "ts", "tsx", "js", "jsx", "json", "node" ], "setupFiles": [ "<rootDir>/test/jest-setup.ts" ], "globals": { "ts-jest": { "diagnostics": false } } }

┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate      │ Prototype Pollution                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ minimist                                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=0.2.1 <1.0.0 || >=1.2.3                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ jest [dev]                                                   │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ jest > jest-cli > @jest/core > jest-runner > jest-config >   │
│               │ jest-jasmine2 > expect > jest-message-util >                 │
│               │ @jest/test-result > @jest/transform > jest-haste-map >       │
│               │ jest-util > mkdirp > minimist                                │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/1179                            │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate      │ Prototype Pollution                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ minimist                                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=0.2.1 <1.0.0 || >=1.2.3                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ jest [dev]                                                   │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ jest > @jest/core > jest-config > jest-jasmine2 > expect >   │
│               │ jest-message-util > @jest/test-result > @jest/transform >    │
│               │ jest-haste-map > jest-util > mkdirp > minimist               │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/1179                            │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate      │ Prototype Pollution                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ minimist                                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=0.2.1 <1.0.0 || >=1.2.3                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ jest [dev]                                                   │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ jest > jest-cli > @jest/core > jest-config > jest-jasmine2 > │
│               │ expect > jest-message-util > @jest/test-result >             │
│               │ @jest/transform > jest-haste-map > jest-util > mkdirp >      │
│               │ minimist                                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/1179                            │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate      │ Prototype Pollution                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ minimist                                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=0.2.1 <1.0.0 || >=1.2.3                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ jest [dev]                                                   │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ jest > jest-cli > jest-config > jest-jasmine2 > expect >     │
│               │ jest-message-util > @jest/test-result > @jest/transform >    │
│               │ jest-haste-map > jest-util > mkdirp > minimist               │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/1179

Bug Report Needs Repro Needs Triage

Source

saniaalex

👍16

Most helpful comment

Removal of node_modules & package-lock.json, followed by running npm install and new npm audit seems to result in vulnerabilities being resolved!

rsuomela on 20 Mar 2020

👍5 🎉3

All 14 comments

Can confirm. Upwards of 1500+ vulnerabilities because of jest@latest install which depends on unpatched version of minimist,

kuasha420 on 18 Mar 2020

👍5

Root cause is an outdated version of mkdirp the requires an older version of minimist.

Most direct dependency I see is jest > @jest/core > jest-util > mkdirp > minimist, or jest > @jest/core > jest-snapshot > mkdirp > minimist

Gidgidonihah on 18 Mar 2020

Looks like it's fixed in #9486 and will be included in next release.

Gidgidonihah on 18 Mar 2020

Duplicate of #9683. And as mentioned there, the vulnerability has been fixed. A fresh install of jest produces 0 warnings.

$ docker run -it --rm node:13-alpine sh -c 'mkdir dir; cd dir; npm init -y; npm i -D jest; npm audit'
Unable to find image 'node:13-alpine' locally
13-alpine: Pulling from library/node
c9b1b535fdd9: Already exists
8488f113df73: Pull complete
09953e135439: Pull complete
b1863e3df3d5: Pull complete
Digest: sha256:269d33f58640e1a8291e3d8ae9c55a4a7c4803fde791554c8c8b14a3a9368e62
Status: Downloaded newer image for node:13-alpine
Wrote to /dir/package.json:

{
  "name": "dir",
  "version": "1.0.0",
  "description": "",
  "main": "index.js",
  "scripts": {
    "test": "echo \"Error: no test specified\" && exit 1"
  },
  "keywords": [],
  "author": "",
  "license": "ISC"
}


npm WARN deprecated [email protected]: Legacy versions of mkdirp are no longer supported. Please update to mkdirp 1.x. (Note that the API surface has changed to use Promises in 1.x.)
npm WARN deprecated [email protected]: request has been deprecated, see https://github.com/request/request/issues/3142
npm notice created a lockfile as package-lock.json. You should commit this file.
npm WARN optional SKIPPING OPTIONAL DEPENDENCY: fsevents@^2.1.2 (node_modules/jest-haste-map/node_modules/fsevents):
npm WARN notsup SKIPPING OPTIONAL DEPENDENCY: Unsupported platform for [email protected]: wanted {"os":"darwin","arch":"any"} (current: {"os":"linux","arch":"x64"})
npm WARN [email protected] No description
npm WARN [email protected] No repository field.

+ [email protected]
added 483 packages from 285 contributors and audited 1203821 packages in 54.515s

23 packages are looking for funding
  run `npm fund` for details

found 0 vulnerabilities


                       === npm audit security report ===

found 0 vulnerabilities
 in 1203821 scanned packages

SimenB on 18 Mar 2020

Hi @SimenB do you know when the next release will come out?

dlipeles on 19 Mar 2020

you don't need a new release, a fresh install has no warnings, so just fix your lockfile

SimenB on 19 Mar 2020

@dlipeles the fresh install should help you out, if it doesn't you can:

Delete node_module & package-lock.json
Run a fresh npm install

mouhannad-sh on 19 Mar 2020

Running
npm uninstall --save-dev jest
followed by
npm install --save-dev jest@latest
and finally running npm audit results in found 1509 low severity vulnerabilities in 1206982 scanned packages

Running npm audit after uninstalling jest results in found 13 low severity vulnerabilities in 3174 scanned packages

To me this still seems unresolved.

rsuomela on 19 Mar 2020

👍6 👀1

@SimenB Please have a look again. Maybe we are doing something wrong but I still have the vulnerabilities like explained by: https://github.com/facebook/jest/issues/9684#issuecomment-601051499

julianbei on 20 Mar 2020

you don't need a new release, a fresh install has no warnings, so just fix your lockfile

I have already tried doing a fresh install of the latest version but it still has vulnerabilities. If this is being fixed in the next release that would be great.

saniaalex on 20 Mar 2020

Removal of node_modules & package-lock.json, followed by running npm install and new npm audit seems to result in vulnerabilities being resolved!

rsuomela on 20 Mar 2020

👍5 🎉3

I've also tried a fresh install, including npm cache clean --force but npm audit still throws errors.

rubenlangius on 25 Mar 2020

For those using yarn, one way to fix this issue is to delete yarn.lock and npm_modules and re-run yarn install.

intelliot on 2 Apr 2020

Installing latest version of Jest will at least remove the mkdirp dependency.

In general the tips above will work. We won't be making releases every time some deep dependency has a vulnerability, unless it actually affects us or the fix is out of semver range.

SimenB on 2 Apr 2020

Was this page helpful?

0 / 5 - 0 ratings