Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Package dependency triggers NPM advisory (1179) #1898

Open
jsevedge opened this issue Feb 12, 2021 · 5 comments
Open

Package dependency triggers NPM advisory (1179) #1898

jsevedge opened this issue Feb 12, 2021 · 5 comments

Comments

@jsevedge
Copy link

Describe the bug

npm audit triggers an advisory from a tertiary dependency.

[
  {
    module: 'minimist',
    path: 'dredd>optimist>minimist',
    vulnerability: {
      id: 1179,
      url: 'https://npmjs.com/advisories/1179',
      recommendation: 'Upgrade to versions 0.2.1, 1.2.3 or later.'
    }
  }
]

To Reproduce

Run npm audit and observe vulnerability ID is listed

Expected behavior

npm audit should not list any vulnerabilities tied to this package (or it's dependencies)

What is in your dredd.yml?

N/A

What's your dredd --version output?

N/A

Does dredd --loglevel=debug uncover something?

N/A

Can you send us failing test in a Pull Request?

N/A
@jsevedge
Copy link
Author

FYI, it looks like optimist is deprecated (no new versions in 7 years) with a recommendation to use minimist instead.

@jsevedge
Copy link
Author

@abtris or another maintainer... looking for some guidance here. It appears optimist is used as the command line parser for this projects CLI, would you be open to a pull request where that is swapped out for a more current package (such as yargs, minimist, etc.)? Seems like swapping that out is the best way to get rid of this security alert for good. If not, any other suggestions?

@abtris
Copy link
Contributor

abtris commented May 26, 2021

I see in Dependabot:

Dependabot cannot update minimist to a non-vulnerable version
The latest possible version that can be installed is 0.0.10 because of the following conflicting dependencies:

[email protected] requires minimist@^1.2.5 via a transitive dependency on [email protected]
[email protected] requires minimist@^1.2.0 via a transitive dependency on [email protected]
[email protected] requires minimist@^1.2.5 via a transitive dependency on [email protected]
[email protected] requires minimist@^1.1.3 via a transitive dependency on [email protected]
[email protected] requires minimist@^1.1.3 via a transitive dependency on [email protected]
The earliest fixed version is 0.2.1.

@abtris
Copy link
Contributor

abtris commented May 26, 2021

@opichals @kuba-kubula any advise on this?

@kylef
Copy link
Member

kylef commented May 26, 2021

I did some prior analysis in #1695 (comment) with suggestion on how to proceed. Looks like yargs as a replacement might be a bit problematic due to licensing (although this may have changed). Last I checked minimist shouldn't be much of a problem, and it's already in the dependency tree albeit an older version.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@kylef @abtris @jsevedge