Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Remove minimist dependency via mkdirp (vulnerability CVE-2020-7598)

See original GitHub issue

The version of ESLint you are using. 6.8.0

The problem you want to solve. Remove the warning about the minimist vulnerability detailed here https://github.com/advisories/GHSA-7fhm-mqm4-2wp7

This is required via a dependency on the mkdirp package.

Your take on the correct solution to problem. @mysticatea has already done this in a PR targeting version 7. I suggest making this change in a patch to 6.8.

Are you willing to submit a pull request to implement this change? Yep.

Issue Analytics

  • State:closed
  • Created 4 years ago
  • Reactions:38
  • Comments:12 (5 by maintainers)

github_iconTop GitHub Comments

9reactions
evanplaicecommented, Mar 17, 2020

Update: mkdirp published a new version that bumps minimist to a safe version.

Patching ESLint is no longer unnecessary.

Re-creating package-lock.json should fix the issue.

8reactions
willkjacksoncommented, Mar 18, 2020

Wiping package-lock/minimist from mode_modules and reinstalling packages updated the tree:

> npm ls minimist
├─┬ eslint@6.8.0
│ └─┬ mkdirp@0.5.3
│   └── minimist@1.2.5
Read more comments on GitHub >

github_iconTop Results From Across the Web

Prototype Pollution in minimist - Vulners
Minimist <=1.2.5 is vulnerable to Prototype Pollution via file index.js, ... indirect vulnerabilities without breaking your dependency tree.
Read more >
Solving the indirect vulnerability enigma - fixing indirect ...
In this article, we'll walk you through how solving transitive vulnerabilities can be done manually and, towards the end, show you the Debricked ......
Read more >
mkdirp@0.5.1 - Snyk Vulnerability Database
Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities (in both your packages & their dependencies) and provides ...
Read more >
Node.js minimist security issue even with v1.2.5 - Stack Overflow
After installing express-handlebars and running "npm audit", I'm getting a "low severity vulnerability" ...
Read more >
Fixing security vulnerabilities in npm dependencies in less ...
In my case mocha(7.1.0) -> mkdirp(0.5.1) -> minimist(0.0.8) — the vulnerable version. Resolutions key. 3) And finally the fix was: 3.1) First npm...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

Can quote-props: as-needed respect camelCase with properties: always?

Next page

Allow config extends from actual package-name/path, without mandatory eslint-config or @scope/eslint-config prefix