Laravel-mix: yargs-parser vulnerability

Created on 1 May 2020 · 20Comments · Source: JeffreyWay/laravel-mix

Laravel Mix Version: 5.0.4
Node Version: 12.16.1
NPM Version: 6.13.4
OS: Ubuntu 19.10

Hello there,

npm is reporting a Prototype Pollution vulnerability on the yargs-parser dependency

Low - Prototype Pollution
Package: yargs-parser
Patched in >=13.1.2 <14.0.0 || >=15.0.1 <16.0.0 || >=18.1.2
Dependency of: laravel-mix [dev]
Path: laravel-mix > webpack-dev-server > yargs > yargs-parser

and same goes for

Path: laravel-mix > yargs > yargs-parser

Source

kunaime

👍43

Most helpful comment

until the yargs original developers update their version of yargs-parser

The vulnerability has already been patched in yargs-parser, and a version of yargs has been released that supports using that version.

laravel-mix is the one that needs to be updated, which is the issue: this vulnerability was reported Mar 26th, 2020, and patched on the day by the yargs team.

So this is waiting on @JeffreyWay to release a new version of laravel-mix that uses the patched version of yargs; however the last activity I've seen from here on this repo was pushing a commit for an alpha of 6.0.0 on the 1st of May, while a number of tickets around this vulnerability have been opened since it was reported that have gone without response from him.

I understand that this is an open-source project, and that people have lives and get busy so this isn't a go at him; I just want to highlight that this is a can that's been kicking around for a few months without action, and so it's looking more and more like it could be time to find a replacement tool.

While being able to resolve this by forcing the resolution of the package is a good thing, it might not work for the next vulnerability that comes out on a dependency of laravel-mix.

G-Rath on 24 Jun 2020

👍17

All 20 comments

Updating yargs to 15.3.1 should solve this, but requiring it locally doesn't seem to solve npm audit for me. In theory it should pull in ^18.1.1 of yargs-parser which currently matches 18.0.3.

dshoreman on 5 May 2020

Is it not possible to directly increase the required version in the package.json? With a new release the problem should solve itself.

https://github.com/JeffreyWay/laravel-mix/blob/8f1a87e397ff2f832f4f5f4d495937f97e230f1a/package.json#L71

nessor on 5 May 2020

Is there any solution to this if you are not running Laravel Mix?
I tried re-installing the yargs-parser in the right directory, but the vulnerability still shows up if I run npm audit

Mullersen on 29 May 2020

I'm with the same problem. how resolve?

I'm using laravel-mix but the vulnerability shows me yet.

mvanucci on 8 Jun 2020

Also having this issue. Even on the v6 alpha. I think it is an issue with the yargs-parser package itself: https://github.com/yargs/yargs-parser/issues/270 that still hasn't been fixed (unless I am missing something from what @dshoreman said)

Aaronm14 on 15 Jun 2020

I just wrote an article on this issue's fix. Check it out on medium https://medium.com/@dieguiviti/yargs-parser-vulnerability-fix-5ab421663d22

dieguiviti on 19 Jun 2020

I'm not on my dev machine thus haven't yet tested the workaround from Diego's blog post but, here's the tl;dr:

Open the package.json for Laravel Mix (or @vue/cli-service, react, etc)
Manually bump webpack-dev-server to "3.11.0"
Run npm install && npm audit fix in the project root.

dshoreman on 20 Jun 2020

🚀1

While the discussion in the last few comments will fix the originally posted audit report, it still won't fix all audit problems in laravel-mix, as it depends on yargs directly:

```

                   === npm audit security report ===

┌──────────────────────────────────────────────────────────────────────────────┐
│ Manual Review │
│ Some vulnerabilities require your attention to resolve │
│ │
│ Visit https://go.npm.me/audit-guide for additional guidance │
└──────────────────────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low │ Prototype Pollution │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ yargs-parser │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >=13.1.2 <14.0.0 || >=15.0.1 <16.0.0 || >=18.1.2 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ laravel-mix │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ laravel-mix > yargs > yargs-parser │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://npmjs.com/advisories/1500 │
└───────────────┴──────────────────────────────────────────────────────────────┘
found 1 low severity vulnerability in 1051 scanned packages
1 vulnerability requires manual review. See the full report for details.
````

You can confirm this by running npm i laravel-mix in a fresh directory that doesn't have a package.json, since that will pull in the latest of all packages (including webpack-dev-serve)

G-Rath on 20 Jun 2020

🚀1

Hello,
I think i might have found a solution, for this problem.
the main problem is that yargs-parser package is containing a vulnerability and the version after it doesn't, but the yargs package still requires the old version so for this error we can basically solve it by forcing yargs to use the latest version of yargs-parser which is 18.1.3 instead of 18.1.2.

so first you can add these lines to your package.json file.

Add this line to your scripts section
"preinstall": "npx npm-force-resolutions"
as shown here:
Add a new key to your package.json file named resolutions and add a new line in it with the appropriate version of yargs-parser
"resolutions": { "yargs-parser": "^18.1.3" }
as shown here:
Run the npm install yargs-parser --save-dev && npm update && npm install

and voilà your are now set to use laravel-mix again as intended.

Code great things :)

hicham-saddek on 20 Jun 2020

👍16 😕2

Hi,
I found the solution... hope this will work for you.

Update following files: Laravel 7.x

node_modules > yargs-parser > package.json > "version": "to latest version".
node_modules > yargs > package.json > "version": "to latest version".
node_modules > webpack-dev-server > package.json > "yargs": "to latest version" & "yargs-parser": "to latest version".
project > package.js> update all "yargs" & "yargs-parser" version to "latest version"
project > package-lock.js> update all "yargs" & "yargs-parser" version to "latest version"

Run npm install

Be Creative 😊

noommii on 20 Jun 2020

👎8 😕2

@hicham-saddek 's solution worked for me.

$ npm audit

                       === npm audit security report ===

found 0 vulnerabilities

thank you

hswconsulting on 24 Jun 2020

👍2

@G-Rath Why do you not like the solution of @hicham-saddek ?

nessor on 24 Jun 2020

@nessor because it's a temporary solution: by forcing the resolution to a new major, you risk subtle and unpredictable bugs.

I'm not opposed to forcing resolutions, but it's best done for patch & minor versions, not majors.

G-Rath on 24 Jun 2020

👍3 😕1

I agree with @G-Rath about my solution being a temporary solution, and could fail at any moment, however it is a solution you can deploy only to temporarily fix this issue until the yargs original developers update their version of yargs-parser, which i dont think will take long as its a sticking bug unless they dont care about the package at all, which i think they do. so to recap this solution is temporary but it wont hurt to deploy it until the vulnerability is fixed by the original devs and you can remove it from your package, and of course before deploying this solution to a production environment you will have to check for it's compatibility first and it wont make your system crash or anything. its totally up to the user to see if this temporary solution can fit in their environment or no and to constantly monitor for the yargs-parser update inside the yargs package.
Hope this does not bug anyone LOL.

May your code work, and you PM happy 😄.

hicham-saddek on 24 Jun 2020

until the yargs original developers update their version of yargs-parser

The vulnerability has already been patched in yargs-parser, and a version of yargs has been released that supports using that version.

laravel-mix is the one that needs to be updated, which is the issue: this vulnerability was reported Mar 26th, 2020, and patched on the day by the yargs team.

While being able to resolve this by forcing the resolution of the package is a good thing, it might not work for the next vulnerability that comes out on a dependency of laravel-mix.

G-Rath on 24 Jun 2020

👍17

@hicham-saddek Thanks for Your Answer, It worked.

webdev-rahul on 31 Jul 2020

@hicham-saddek thank you sir

ajinfajrian on 9 Aug 2020

@hicham-saddek Satisfied with the temporary solution, thank!

suporte-avdesign on 11 Aug 2020

Latest version of Mix uses the most current version of yargs.

JeffreyWay on 8 Oct 2020

👍1

Hola,
creo que podría haber encontrado una solución para este problema.
el problema principal es que el yargs-parserpaquete contiene una vulnerabilidad y la versión posterior no, pero el yargspaquete aún requiere la versión anterior, por lo que para este error básicamente podemos resolverlo forzando yargsa usar la última versión de la yargs-parserque es en 18.1.3lugar de 18.1.2.

así que primero puede agregar estas líneas a su package.jsonarchivo.

Agregue esta línea a su scriptssección
"preinstall": "npx npm-force-resolutions"
como se muestra aquí:

Agregue una nueva clave a su package.jsonarchivo llamado resolutionsy agregue una nueva línea con la versión apropiada de yargs-parser
"resolutions": { "yargs-parser": "^18.1.3" }
como se muestra aquí:

Ejecutar el npm install yargs-parser --save-dev && npm update && npm install

y voilà, ahora está configurado para usar laravel-mix nuevamente como estaba previsto.

Codifica grandes cosas :)