Vue-cli: Prototype Pollution via ts-jest > yargs-parser
Version
4.4.1
Environment info
System:
OS: macOS 10.15.4
CPU: (12) x64 Intel(R) Core(TM) i7-8750H CPU @ 2.20GHz
Binaries:
Node: 13.12.0 - /usr/local/bin/node
Yarn: 1.22.4 - /usr/local/bin/yarn
npm: 6.14.4 - /usr/local/bin/npm
Browsers:
Chrome: 83.0.4103.97
Firefox: 77.0.1
Safari: 13.1
npmPackages:
@vue/cli-plugin-unit-jest: ^4.4.1 => 4.4.1
@vue/cli-shared-utils: 4.4.1
jest-serializer-vue: 2.0.2
vue-jest: 3.0.5
vue-template-es2015-compiler: 1.9.1
npmGlobalPackages:
@vue/cli: 4.2.3
Steps to reproduce
npm i @vue/cli-plugin-unit-jest
What is expected?
βFound 0 vulnerabilities.β
What is actually happening?
βββββββββββββββββ¬βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β Low β Prototype Pollution β
βββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β Package β yargs-parser β
βββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β Patched in β >=13.1.2 <14.0.0 || >=15.0.1 <16.0.0 || >=18.1.2 β
βββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β Dependency of β @vue/cli-plugin-unit-jest [dev] β
βββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β Path β @vue/cli-plugin-unit-jest > ts-jest > yargs-parser β
βββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β More info β https://npmjs.com/advisories/1500 β
βββββββββββββββββ΄βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
msklvsk
All 7 comments
Same issue on 4.4.3
More recent versions of ts-jest don't have that problem, the dependency to ts-jest should therefore be updated to v25.3.0 minimum (first version with a non-vulnerable dependency to yargs-parser).
See corresponding commit.
Chadys
on 12 Jun 2020
Not possible in this major because that's a breaking change for Vue CLI.
And there is no actual vulnerability exposed to the end-users, because in ts-jest, yargs-parser is only used for parsing command-line arguments for the command ts-jest, such as ts-jest config:init, which, an end-user would never have the chance to call.
If you do need to circumvent the warning, you can use the resolutions field in package.json and npm-force-resolutions.
sodatea
on 13 Jun 2020
Also having this issue (from this library and also laravel-mix).
I did as @sodatea suggested, which removed the warnings, not yet clear what kind of impact it might have to the libraries that depend on the problem versions. Seems okay so far.
In package.json:
...
"scripts": {
"preinstall": "npx npm-force-resolutions",
},
"resolutions": {
"yargs-parser": "15.0.1"
},
...
Aaronm14
on 17 Jun 2020
Same with @Aaronm14, originally my problem was just Laravel-mix but then I tried to just input what @msklvsk shared which is (npm i @vue/cli-plugin-unit-jest) and then a new error was added which is the (@vue/cli-plugin-unit-jest > ts-jest > yargs-parser). So I tried to do what @sodatea suggested, and same thing happened with Aaron, it removed the warnings but I'm really not sure what happened but it worked.
In package.json just copy what Aaronm14 inputed.
MakiOtaku
on 18 Jun 2020
I wonder what impact this vulnerability can have..for me the dependency is related to laravel-mix(4.1.4).
@sodatea , do you know if there are vulnerability exposed to the end-users in the laravel-mix scenario?
fabri01
on 27 Jun 2020
Updated yargs-parser to 18.1.3 but I'm still seeing this vulnerability warning.
lartheon
on 28 Jul 2020
Also having this issue (from this library and also laravel-mix).
I did as @sodatea suggested, which removed the warnings, not yet clear what kind of impact it might have to the libraries that depend on the problem versions. Seems okay so far.
In package.json:
... "scripts": { "preinstall": "npx npm-force-resolutions", }, "resolutions": { "yargs-parser": "15.0.1" }, ...
This worked for me, this looks like the best work around for the time being
lartheon
on 31 Jul 2020
Related issues
xrei
Β·
40Comments
wuyuweixin
Β·
35Comments
ghenry
Β·
40Comments
joeirimpan
Β·
35Comments
brunoseco
Β·
35Comments
Most helpful comment
Same issue on 4.4.3
More recent versions of
ts-jestdon't have that problem, the dependency tots-jestshould therefore be updated tov25.3.0minimum (first version with a non-vulnerable dependency toyargs-parser).See corresponding commit.