Update tap dependency to fix secuirty issue with minimist 1.2.0
ashishkujoy opened this issue · 26 comments
The current version 1.2.0 of minimist which is a transitive dependency of tap has secuirty issue. There is open issue in tap for that. we should upgrade the tap dependency once that get fix.
Please update, this package mkdirp is triggering a lot of vulnerabilities via npm audit and snyk
Check the paths, all the vulnerabilities I have are via mkdirp
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low │ Prototype Pollution │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ minimist │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >=0.2.1 <1.0.0 || >=1.2.3 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ extract-zip │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ extract-zip > mkdirp > minimist │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://npmjs.com/advisories/1179 │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low │ Prototype Pollution │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ minimist │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >=0.2.1 <1.0.0 || >=1.2.3 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ standard [dev] │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ standard > eslint > file-entry-cache > flat-cache > write > │
│ │ mkdirp > minimist │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://npmjs.com/advisories/1179 │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low │ Prototype Pollution │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ minimist │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >=0.2.1 <1.0.0 || >=1.2.3 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ standard [dev] │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ standard > eslint > mkdirp > minimist │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://npmjs.com/advisories/1179 │
└───────────────┴──────────────────────────────────────────────────────────────┘
This is really propagating everywhere, damn, this package is really omnipresent :)
=== npm audit security report ===
┌──────────────────────────────────────────────────────────────────────────────┐
│ Manual Review │
│ Some vulnerabilities require your attention to resolve │
│ │
│ Visit https://go.npm.me/audit-guide for additional guidance │
└──────────────────────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low │ Prototype Pollution │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ minimist │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >=0.2.1 <1.0.0 || >=1.2.3 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ express-handlebars │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ express-handlebars > handlebars > optimist > minimist │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://npmjs.com/advisories/1179 │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low │ Prototype Pollution │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ minimist │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >=0.2.1 <1.0.0 || >=1.2.3 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ handlebars │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ handlebars > optimist > minimist │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://npmjs.com/advisories/1179 │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low │ Prototype Pollution │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ minimist │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >=0.2.1 <1.0.0 || >=1.2.3 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ extract-zip [dev] │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ extract-zip > mkdirp > minimist │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://npmjs.com/advisories/1179 │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low │ Prototype Pollution │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ minimist │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >=0.2.1 <1.0.0 || >=1.2.3 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ phantomjs-prebuilt [dev] │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ phantomjs-prebuilt > extract-zip > mkdirp > minimist │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://npmjs.com/advisories/1179 │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low │ Prototype Pollution │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ minimist │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >=0.2.1 <1.0.0 || >=1.2.3 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ html-validate [dev] │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ html-validate > eslint > file-entry-cache > flat-cache > │
│ │ write > mkdirp > minimist │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://npmjs.com/advisories/1179 │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low │ Prototype Pollution │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ minimist │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >=0.2.1 <1.0.0 || >=1.2.3 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ html-validator [dev] │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ html-validator > html-validate > eslint > file-entry-cache > │
│ │ flat-cache > write > mkdirp > minimist │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://npmjs.com/advisories/1179 │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low │ Prototype Pollution │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ minimist │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >=0.2.1 <1.0.0 || >=1.2.3 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ standard [dev] │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ standard > eslint > file-entry-cache > flat-cache > write > │
│ │ mkdirp > minimist │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://npmjs.com/advisories/1179 │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low │ Prototype Pollution │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ minimist │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >=0.2.1 <1.0.0 || >=1.2.3 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ html-validate [dev] │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ html-validate > eslint > mkdirp > minimist │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://npmjs.com/advisories/1179 │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low │ Prototype Pollution │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ minimist │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >=0.2.1 <1.0.0 || >=1.2.3 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ html-validator [dev] │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ html-validator > html-validate > eslint > mkdirp > minimist │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://npmjs.com/advisories/1179 │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low │ Prototype Pollution │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ minimist │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >=0.2.1 <1.0.0 || >=1.2.3 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ standard [dev] │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ standard > eslint > mkdirp > minimist │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://npmjs.com/advisories/1179 │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low │ Prototype Pollution │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ minimist │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >=0.2.1 <1.0.0 || >=1.2.3 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ libxmljs [dev] │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ libxmljs > node-pre-gyp > mkdirp > minimist │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://npmjs.com/advisories/1179 │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low │ Prototype Pollution │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ minimist │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >=0.2.1 <1.0.0 || >=1.2.3 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ libxmljs [dev] │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ libxmljs > node-pre-gyp > tar > mkdirp > minimist │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://npmjs.com/advisories/1179 │
└───────────────┴──────────────────────────────────────────────────────────────┘
20 pieces here...
Please fix this asap.
$ npm audit
=== npm audit security report ===
Manual Review
Some vulnerabilities require your attention to resolve
Visit https://go.npm.me/audit-guide for additional guidance
Low Prototype Pollution
Package minimist
Patched in >=0.2.1 <1.0.0 || >=1.2.3
Dependency of browserify [dev]
Path browserify > mkdirp > minimist
More info https://npmjs.com/advisories/1179
Low Prototype Pollution
Package minimist
Patched in >=0.2.1 <1.0.0 || >=1.2.3
Dependency of cssnano [dev]
Path cssnano > cssnano-preset-default > postcss-svgo > svgo >
mkdirp > minimist
More info https://npmjs.com/advisories/1179
Low Prototype Pollution
Package minimist
Patched in >=0.2.1 <1.0.0 || >=1.2.3
Dependency of grunt-contrib-jasmine [dev]
Path grunt-contrib-jasmine > grunt-eslint > eslint >
file-entry-cache > flat-cache > write > mkdirp > minimist
More info https://npmjs.com/advisories/1179
Low Prototype Pollution
Package minimist
Patched in >=0.2.1 <1.0.0 || >=1.2.3
Dependency of grunt-contrib-jasmine [dev]
Path grunt-contrib-jasmine > grunt-eslint > eslint > mkdirp >
minimist
More info https://npmjs.com/advisories/1179
Low Prototype Pollution
Package minimist
Patched in >=0.2.1 <1.0.0 || >=1.2.3
Dependency of grunt-contrib-jasmine [dev]
Path grunt-contrib-jasmine > pacote > cacache > mkdirp > minimist
More info https://npmjs.com/advisories/1179
Low Prototype Pollution
Package minimist
Patched in >=0.2.1 <1.0.0 || >=1.2.3
Dependency of grunt-contrib-jasmine [dev]
Path grunt-contrib-jasmine > pacote > make-fetch-happen > cacache
> mkdirp > minimist
More info https://npmjs.com/advisories/1179
Low Prototype Pollution
Package minimist
Patched in >=0.2.1 <1.0.0 || >=1.2.3
Dependency of grunt-contrib-jasmine [dev]
Path grunt-contrib-jasmine > pacote > npm-registry-fetch >
make-fetch-happen > cacache > mkdirp > minimist
More info https://npmjs.com/advisories/1179
Low Prototype Pollution
Package minimist
Patched in >=0.2.1 <1.0.0 || >=1.2.3
Dependency of grunt-contrib-jasmine [dev]
Path grunt-contrib-jasmine > pacote > cacache > move-concurrently
> copy-concurrently > mkdirp > minimist
More info https://npmjs.com/advisories/1179
Low Prototype Pollution
Package minimist
Patched in >=0.2.1 <1.0.0 || >=1.2.3
Dependency of grunt-contrib-jasmine [dev]
Path grunt-contrib-jasmine > pacote > make-fetch-happen > cacache
> move-concurrently > copy-concurrently > mkdirp > minimist
More info https://npmjs.com/advisories/1179
Low Prototype Pollution
Package minimist
Patched in >=0.2.1 <1.0.0 || >=1.2.3
Dependency of grunt-contrib-jasmine [dev]
Path grunt-contrib-jasmine > pacote > npm-registry-fetch >
make-fetch-happen > cacache > move-concurrently >
copy-concurrently > mkdirp > minimist
More info https://npmjs.com/advisories/1179
Low Prototype Pollution
Package minimist
Patched in >=0.2.1 <1.0.0 || >=1.2.3
Dependency of grunt-contrib-jasmine [dev]
Path grunt-contrib-jasmine > pacote > cacache > move-concurrently
> mkdirp > minimist
More info https://npmjs.com/advisories/1179
Low Prototype Pollution
Package minimist
Patched in >=0.2.1 <1.0.0 || >=1.2.3
Dependency of grunt-contrib-jasmine [dev]
Path grunt-contrib-jasmine > pacote > make-fetch-happen > cacache
> move-concurrently > mkdirp > minimist
More info https://npmjs.com/advisories/1179
Low Prototype Pollution
Package minimist
Patched in >=0.2.1 <1.0.0 || >=1.2.3
Dependency of grunt-contrib-jasmine [dev]
Path grunt-contrib-jasmine > pacote > npm-registry-fetch >
make-fetch-happen > cacache > move-concurrently > mkdirp >
minimist
More info https://npmjs.com/advisories/1179
Low Prototype Pollution
Package minimist
Patched in >=0.2.1 <1.0.0 || >=1.2.3
Dependency of grunt-contrib-jasmine [dev]
Path grunt-contrib-jasmine > pacote > mkdirp > minimist
More info https://npmjs.com/advisories/1179
Low Prototype Pollution
Package minimist
Patched in >=0.2.1 <1.0.0 || >=1.2.3
Dependency of grunt-contrib-jasmine [dev]
Path grunt-contrib-jasmine > pacote > tar > mkdirp > minimist
More info https://npmjs.com/advisories/1179
Low Prototype Pollution
Package minimist
Patched in >=0.2.1 <1.0.0 || >=1.2.3
Dependency of grunt-contrib-jasmine [dev]
Path grunt-contrib-jasmine > puppeteer > extract-zip > mkdirp >
minimist
More info https://npmjs.com/advisories/1179
Low Prototype Pollution
Package minimist
Patched in >=0.2.1 <1.0.0 || >=1.2.3
Dependency of gulp-less [dev]
Path gulp-less > less > mkdirp > minimist
More info https://npmjs.com/advisories/1179
Low Prototype Pollution
Package minimist
Patched in >=0.2.1 <1.0.0 || >=1.2.3
Dependency of gulp [dev]
Path gulp > glob-watcher > chokidar > fsevents > node-pre-gyp >
mkdirp > minimist
More info https://npmjs.com/advisories/1179
Low Prototype Pollution
Package minimist
Patched in >=0.2.1 <1.0.0 || >=1.2.3
Dependency of gulp [dev]
Path gulp > glob-watcher > chokidar > fsevents > node-pre-gyp >
tar > mkdirp > minimist
More info https://npmjs.com/advisories/1179
Low Prototype Pollution
Package minimist
Patched in >=0.2.1 <1.0.0 || >=1.2.3
Dependency of gulp [dev]
Path gulp > glob-watcher > chokidar > fsevents > node-pre-gyp >
rc > minimist
More info https://npmjs.com/advisories/1179
found 20 low severity vulnerabilities in 13917 scanned packages
20 vulnerabilities require manual review. See the full report for details.
This issue is fixed on NPM for this module in v1.0.3. For the audit alert is created by downstream dependencies in package-lock.json.
In most cases rebuilding package-lock helps resolving this issue in your projects.
Please note the remarks on #7 - you should be aware that version 1.0.3 no longer depends on minimist.
For eslint users: check this issue eslint/eslint#13050
@dosstx you delete the file and then run npm install But I don't know if that solves any problem. I think we just need to wait for other packages that depend on this one and on which you depend on, to be updated.
@jfoclpf it solves the issue for many dependencies with semver ranges.
Sometimes it should hang due to the major release, but it solved it for me.
Created a Pull request in node-tap to fixes the all security issue. Once the pull request get merge and new version get publish we can upgrade node-tap version here to fix the issues.
@jfoclpf it solves the issue for many dependencies with semver ranges.
Sometimes it should hang due to the major release, but it solved it for me.
Hi @phish108 That usually when declare your dependency using ^version the ^ tells npm to install this version or in case any higher version is available then install that. And in case there are any higher version that get installed and the security may get resolve with that higher version.
@ashishkujoy caret ranges do not work exactly as you describe them, but halt at major versions. See: https://docs.npmjs.com/misc/semver
Either way, this issue seems to me mostly as a downstream problem, won’t you agree?
@jfoclpf it solves the issue for many dependencies with semver ranges.
Sometimes it should hang due to the major release, but it solved it for me.
Didn't solve anything for me. Take for example the case of standard, look at the dependency chain:
standard > eslint > file-entry-cache > flat-cache > write > mkdirp > minimist
We need to wait for all that chain to be gradually updated. Furthermore when you install a package via npm i package it simply adds to package.json the specific version of the dependency at the moment. I doubt that many people use semver ranges
@jfoclpf you are correct, since the issue is solved here (in a major release), the downstream caret ranges need to get updated, “manually”. This can be annoying, if different dependencies ask for lower versions than the current release.
Aside from that, caret ranges are the default when running npm i —save somemodule. So they are quite common.
In your case there are two major release issues in your chain:
First is mkdirp, which upgraded from 0.5.1 to 1.0.3, while dropping the minimist dependency in this course. However, write@1.* asks for mkdirp@0.5.1 or later, but smaller than 1.0.0.
This would not be so much of an issue, because write@2.0.0 drops the mkdirp dependency altogether.
Besides eslint@6.8.0 direct dependencies, for which we have to wait until the official release of version 7 to fix the issue; the problem in your chain is with flat-cache, which asks write@1.0.3 or newer, but lower than 2.0.0, which is write’s current release.
See also: royriojas/flat-cache#28
Thanks for opening this issue - This is the last one on my list to finally address all security issues of the week
Referencing Cypress so others can easily subscribe for updates: cypress-io/cypress#6793
Hey @isaacs - Whenever you can, could you please take a look at the PR above, merge and publish a new version of mkdirp?
I'm sure you must be busy with daily activities, so we'd appreciate if we could help merge this PR to address this vulnerability as it's causing issues in other packages upstream.
Thank you
@heitorlessa there is already a new release, but it is a major release, which requires downstream activity. (please read the discussion above)
thanks for the heads up @phish108 - I blindly assumed 240+ packages affected (transitive deps) were allowing patch updates but major versions. Well, turns out a few packages I checked are using exact version and not ranges :/ this is gonna last for much longer than I thought.
not solving a thing for me
Having similar issue here.
This one dependency causes almost every package known in the Angular-universe to be flagged as a security vulnerability.
For this mkdirp-dependency is the cause of 55 out of 56 indirect, insecure minimist-versions in my repo.
Please consider upgrading. It should be a really quick and simple job.
This one dependency causes almost every package known in the Angular-universe to be flagged as a security vulnerability.
For this mkdirp-dependency is the cause of 55 out of 56 indirect, insecure minimist-versions in my repo.
Please consider upgrading. It should be a really quick and simple job.
@josteink it's not a quick job it will take time.
Reason: tap does not want to upgrade mkdirp(this package) because 1.x version of mkdirp does not support node8, they want to support node8 and remove the dependency of this package in next major tap v15 which is currently in development.
More information please have look at this closed PR
@josteink it's not a quick job it will take time.
Reason: tap does not want to upgrade mkdirp(this package) because 1.x version of mkdirp does not support node8
Then the nice and pragmatic thing would be to make a 0.5.5 release (or something like that) based on the older code-base with Node8 support and no breaking changes apart from upgrading minimist.
That's a really small job to do, and something which the author of the package could use to garner good-will, rather than frustration.
Right now there's no known npm audit fix --depth based solution for end-users/developers to fix this on their own...
Closing this issue as tap has been updated and currently there is no security vulnerabilities.
Why close?
mkdirp is a dependency to lots of packages besides tap.
Tap updating won’t solve it for anyone else.
@josteink
Please refer the screenshot, i ran npm audit today with the latest code, and its showing 0 vulnerabilities.
Hi! Still have issues with mkdirp -> minimist :(
Rebuilding dependency tree in package-lock.json not help me with my case.
