TSLint is also affected just like ESLint (https://github.com/eslint/eslint/issues/13050).
WPMGPRoSToTeMa
All 14 comments
Quick reference: https://github.com/advisories/GHSA-7fhm-mqm4-2wp7
TSLint is also affected
Is it? There aren't any security vulnerabilities posted to TSLint right now. https://github.com/palantir/tslint/security/advisories
If there are, accepting PRs to fix for them. Until then, I don't believe there's any action that needs to be taken? (we don't depend on acorn, for example)
JoshuaKGoldberg
on 16 Mar 2020
@JoshuaKGoldberg that is weird. TSLint has minimist dependency which is affected by the vulnerability.
WPMGPRoSToTeMa
on 16 Mar 2020
It's possible that only devDependency versions are affected. Or, GitHub is still processing the alert, and we haven't gotten it yet 馃槃
JoshuaKGoldberg
on 16 Mar 2020
It looks like tslint depends on mkdirp, which has minimist as a direct dependency. Someone opened a PR to upgrade the minimist version here: https://github.com/isaacs/node-mkdirp/pull/8.
EDIT: It actually looks like the latest version (1.0.0+) of mkdirp no longer has a direct dependency on minimist. It was removed in this commit. tslint uses [email protected], which does have a very old version of minimist.
praneetloke
on 16 Mar 2020
FYI:
=== npm audit security report ===
Manual Review
Some vulnerabilities require your attention to resolve
Visit https://go.npm.me/audit-guide for additional guidance
Moderate Prototype Pollution
Package minimist
Patched in >=1.2.3
Dependency of tslint [dev]
Path tslint > mkdirp > minimist
More info https://npmjs.com/advisories/1179
hansnull
on 18 Mar 2020
Excellent, thanks for the additional info folks! Accepting PRs to bump to a version of ~minimist~ mkdirp that doesn't have the dependency on (an old version of) minimist.
JoshuaKGoldberg
on 18 Mar 2020
Note that mkdirp 1.0.0 requires node >= 10 but tslint still claims to support node >= 4.8.0
The right solution is probably to update mkdirp to 0.5.3 first and make a minor version bump.
You might consider a major version cump to update to mkdirp 1.x, but you'd need to move engine to node >= 10 (which is probably reasonable).
Eyas
on 18 Mar 2020
tslint still claims to support node >= 4.8.0
That is... quite far back, and probably no longer true in practice 馃槵. Amusing.
Per https://www.npmjs.com/package/mkdirp#platform-support:
This module works on node v8, but only v10 and above are officially supported, as Node v8 reached its LTS end of life 2020-01-01, which is in the past, as of this writing.
We can take a dependency on the unofficial v8 support decision, for those same reasons.
JoshuaKGoldberg
on 18 Mar 2020
I just opened a PR before seeing this. I can switch to 1.x and increase node version if you think that's preferable.
Eyas
on 18 Mar 2020
0.5.3 works too! So long as minimist is updated.
JoshuaKGoldberg
on 18 Mar 2020
@adidahiya are you going to release a new version with the fix for this?
WPMGPRoSToTeMa
on 20 Mar 2020
If you delete your lockfile and minimist + mkdirp in node_modules it will automatically fix this.
dscalzi
on 2 Apr 2020
just released 6.1.1
adidahiya
on 2 Apr 2020
馃 Beep boop! 馃憠 TSLint is deprecated 馃憟 and you should switch to typescript-eslint! 馃
馃敀 This issue is being locked to prevent further unnecessary discussions. Thank you! 馃憢
JoshuaKGoldberg
on 15 Sep 2020
Related issues
cateyes99
路
3Comments
SwintDC
路
3Comments
CSchulz
路
3Comments
ghost
路
3Comments
mateiacd
路
3Comments
Most helpful comment
Note that mkdirp 1.0.0 requires
node >= 10but tslint still claims to supportnode >= 4.8.0The right solution is probably to update mkdirp to 0.5.3 first and make a minor version bump.
You might consider a major version cump to update to mkdirp 1.x, but you'd need to move engine to
node >= 10(which is probably reasonable).