Security bug in one of your dependencies.
Closed this issue · 2 comments
Hi,
I am using your package and it contains a security bug inside one of its dependencies.
It was detected by Snyk, which I am runing om my packages. See the report below.
Vulnerable module: minimist
Introduced through: nefit-easy-commands@3.0.4
Exploit maturity: Proof of concept
Fixed in: 0.2.1, 1.2.3
Detailed paths
Introduced through: node-red-contrib-nefit-easy2@1.4.5 › nefit-easy-commands@3.0.4 › nefit-easy-core@4.0.0 › node-xmpp-client@3.2.0 › minimist@1.2.0
Remediation: Your dependencies are out of date, otherwise you would be using a newer minimist than minimist@1.2.0. Try relocking your lockfile or deleting node_modules, reinstalling and running snyk wizard. If the problem persists, one of your dependencies may be bundling outdated modules.
Overview
minimist is a parse argument options module.
Affected versions of this package are vulnerable to Prototype Pollution. The library could be tricked into adding or modifying properties of Object.prototype using a constructor or proto payload.
Thanks. I will try and see if I can push an update somewhere in the upcoming days.
FWIW, the security bug is of limited impact in the typical environment that the Nefit modules run in.
minimist turned out to be a dependency of a dependency (node-xmpp-client) of a dependency (nefit-easy-core) and isn't actually in any of the call paths that my code is using. Since node-xmpp-client itself has been deprecated some time ago, there are no newer versions that I can install, so the only way I was able to fix this was making minimist a direct dependency.
Anyway, it should be fixed in nefit-easy-commands@3.0.5 which I just published.