Parcel: NPM reports 63 High severity vulnerabilities

Created on 12 Jul 2019 · 10Comments · Source: parcel-bundler/parcel

🐛 bug report

NPM found 63 High severity vulnerabilities when being installed/audited.

🎛 Configuration (.babelrc, package.json, cli command)

My package.json:

{
    "name": "dashboard",
    "version": "1.0.0",
    "scripts": {
        "start": "parcel src/dashboard.html",
        "build": "parcel build src/dashboard.html"
    },
    "license": "MIT",
    "dependencies": {
        "parcel-bundler": "^1.12.3",
        "typescript": "^3.5.3",
        "vue": "^2.6.10",
        "vue-hot-reload-api": "^2.3.3"
    },
    "devDependencies": {
        "@vue/component-compiler-utils": "^3.0.0",
        "apexcharts": "^3.8.2",
        "axios": "^0.19.0",
        "vue-apexcharts": "^1.3.6",
        "vue-property-decorator": "^8.2.1",
        "vue-template-compiler": "^2.6.10"
    }
}

🤔 Expected Behavior

The package should install with 0 vulnerabilities

😯 Current Behavior

On install/audit:

+ [email protected]
added 720 packages from 525 contributors and audited 8295 packages in 33.612s
found 63 high severity vulnerabilities

💁 Possible Solution

🔦 Context

💻 Code Sample

The NPM audit report:
parcel-audit.txt

🌍 Your Environment

| Software | Version(s) |
| ---------------- | ---------- |
| Parcel | 1.12.3
| Node | 12.4.0
| npm/Yarn | 6.9.0
| Operating System | Windows 10 Pro x64

Security

Source

lbalderrama

👍3

Most helpful comment

@DeMoorJasper I agree with you on npm counting this has multiple deps.

I know this sounds trivial, and it doesn't affect parcel, but it will be awesome to get rid of those warnings and the solutions look easy enough:

If you are using set-value 3.x, upgrade to version 3.0.1 or later. 
If you are using set-value 2.x, upgrade to version 2.0.1 or later.

lbalderrama on 14 Jul 2019

👍3

All 10 comments

It’s only 2 packages with vulnerabilities and I’m pretty sure it doesn’t really affect parcel. Strange that it reports it as 63 severe issues as there’s only 2

_{Sent with GitHawk}

DeMoorJasper on 12 Jul 2019

https://www.npmjs.com/advisories/1012

This is what's causing it, published today

sundayz on 12 Jul 2019

👍2

@rivajunior my point was that it would make more sense if npm counts set-value as one dep instead of listing all deps who have it as a dep...

But whatever this doesn’t even affect parcel anyway

_{Sent with GitHawk}

DeMoorJasper on 13 Jul 2019

@DeMoorJasper I agree with you on npm counting this has multiple deps.

I know this sounds trivial, and it doesn't affect parcel, but it will be awesome to get rid of those warnings and the solutions look easy enough:

If you are using set-value 3.x, upgrade to version 3.0.1 or later. 
If you are using set-value 2.x, upgrade to version 2.0.1 or later.

lbalderrama on 14 Jul 2019

👍3

Running an npm audit fix installed the last deps versions and corrected most of the warnings for me, I suggest giving it a try.

albemala on 22 Aug 2019

Fast forward to now, I'm only seeing 8 warnings for parcel-bundler all related to different sub-dependencies that use minimist:

                       === npm audit security report ===

┌──────────────────────────────────────────────────────────────────────────────┐
│                                Manual Review                                 │
│            Some vulnerabilities require your attention to resolve            │
│                                                                              │
│         Visit https://go.npm.me/audit-guide for additional guidance          │
└──────────────────────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low           │ Prototype Pollution                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ minimist                                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=0.2.1 <1.0.0 || >=1.2.3                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ parcel-bundler                                               │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ parcel-bundler > @parcel/fs > mkdirp > minimist              │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/1179                            │
└───────────────┴──────────────────────────────────────────────────────────────┘

 ...

Hopefully this helps the maintainers resolve and close this ticket. If help is needed, let me know and I'll try to submit a PR (may be a little tricky given that the instances of minimist are all sub-dependencies).

skipjack on 19 Mar 2020

👀1

I'm also getting warnings for minimist as @skipjack does.
I ran npm-why and got this:

>npm-why minimist
Who required minimist:
parcel > @babel/core > json5 > [email protected]
parcel > @parcel/fs > mkdirp > [email protected]
parcel > @parcel/logger > grapheme-breaker > brfs > quote-stream > [email protected]
parcel > @parcel/logger > grapheme-breaker > brfs > static-module > quote-stream > [email protected]
parcel > @parcel/watcher > chokidar > fsevents > node-pre-gyp > mkdirp > [email protected]
parcel > @parcel/watcher > chokidar > fsevents > node-pre-gyp > rc > [email protected]
parcel > @parcel/watcher > chokidar > fsevents > node-pre-gyp > tar > mkdirp > [email protected]
parcel > cssnano > cssnano-preset-default > postcss-svgo > svgo > mkdirp > [email protected]
parcel > htmlnano > cssnano > cssnano-preset-default > postcss-svgo > svgo > mkdirp > [email protected]
parcel > htmlnano > svgo > mkdirp > [email protected]
parcel > json5 > [email protected]
parcel > mkdirp > [email protected]

It appears that minimist refs need to be updated. Note that there are refs to 0.0.8 several links deep in dependencies, so the sec advisory will keep appearing in package-lock.json until all deps have updated.

danmarshall on 3 Apr 2020

These have been fixed in parcel 2 and aren't even real security issues...

DeMoorJasper on 21 Jul 2020

It's still there for Parcel 2.

❯ npm i parcel@next -D
+ [email protected]
added 905 packages from 639 contributors, removed 7 packages, updated 88 packages and audited 1593 packages in 142.319s

75 packages are looking for funding
  run `npm fund` for details

found 47 vulnerabilities (1 low, 46 high)
  run `npm audit fix` to fix them, or `npm audit` for details
❯ npm audit fix
+ [email protected]
added 392 packages from 92 contributors, removed 20 packages, updated 75 packages and moved 7 packages in 69.849s

105 packages are looking for funding
  run `npm fund` for details

fixed 46 of 47 vulnerabilities in 1593 scanned packages
  1 vulnerability required manual review and could not be updated

1 Low is not of parcel@next, BTW.