Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

302 moderate severity vulnerabilities in npm audit due to minimist package

See original GitHub issue

Describe the bug

I have prepared new project with create-react-app. and then I have tried to run npm audit. in that I got following output

Moderate        Prototype Pollution                                           
                                                                               
 Package         minimist                                                      
                                                                               
 Patched in      >=1.2.3                                                       
                                                                               
 Dependency of   react-scripts                                                 
                                                                               
 Path            react-scripts > webpack-dev-server > chokidar > fsevents >    
                 node-pre-gyp > rc > minimist                                  
                                                                               
 More info       https://npmjs.com/advisories/1179                             
                                                                               
found 302 moderate severity vulnerabilities in 918863 scanned packages
 302 vulnerabilities require manual review. See the full report for details.

Environment

package.json

"dependencies": {
    "@testing-library/jest-dom": "^4.2.4",
    "@testing-library/react": "^9.3.2",
    "@testing-library/user-event": "^7.1.2",
    "react": "^16.13.0",
    "react-dom": "^16.13.0",
    "react-scripts": "3.4.0"
  },

System npm and node version:

npm -v
6.14.2
node -v
v12.12.0

Expected behavior

It should use suggested updated version of package minimist.

Issue Analytics

State:
Created 4 years ago
Reactions:36
Comments:19

Top GitHub Comments

7reactions

mdodge-ecgrowcommented, Mar 19, 2020

It appears like they’ve closed the issue. Does that mean it’s done? The only resolution they gave at the end only applies to Yarn users and requires the user to manually do something. What about NPM users? And shouldn’t this be a fix that is automatic and just happens when updating to the latest packages?

6reactions

ddd-37commented, Mar 19, 2020

After recommended fix - “Change your package.json files to "react-scripts": "^3.4.0", and then run npm install” - I still have 583 low severity vulnerabilities

Top Results From Across the Web

Auditing package dependencies for security vulnerabilities

Running npm audit will produce a report of security vulnerabilities with the affected package name, vulnerability severity and description, path, ...

Moderate severity vulnerabilities due to minimist

I'm running into a huge number of vulnerabilities. There are 583 vulnerabilities all associated with the package minimist.

Moderate Severity Vulnerabilities Due To Minimist - ADocLib

Moderate Prototype Pollution Package minimist Patched in >1.2.3 Dependency found 302 moderate severity vulnerabilities in 918863 scanned packages 302. npm audit ...

Fixing security vulnerabilities in npm dependencies in less ...

2.1) To fix any dependency, you need to first know which npm package depends on that. npm audit. This will tell you the...

sashkopavlenko/serverless-plugin-static - Travis CI

dependabot/npm_and_yarn/minimist-1.2.6 Bump minimist from 1.2.5 to 1.2.6. Bumps [minimist](https://github.com/substack/minimist) from 1.2.5 ...