302 moderate severity vulnerabilities in npm audit due to minimist package
See original GitHub issueDescribe the bug
I have prepared new project with create-react-app. and then I have tried to run npm audit
.
in that I got following output
Moderate Prototype Pollution
Package minimist
Patched in >=1.2.3
Dependency of react-scripts
Path react-scripts > webpack-dev-server > chokidar > fsevents >
node-pre-gyp > rc > minimist
More info https://npmjs.com/advisories/1179
found 302 moderate severity vulnerabilities in 918863 scanned packages
302 vulnerabilities require manual review. See the full report for details.
Environment
package.json
"dependencies": {
"@testing-library/jest-dom": "^4.2.4",
"@testing-library/react": "^9.3.2",
"@testing-library/user-event": "^7.1.2",
"react": "^16.13.0",
"react-dom": "^16.13.0",
"react-scripts": "3.4.0"
},
System npm and node version:
npm -v
6.14.2
node -v
v12.12.0
Expected behavior
It should use suggested updated version of package minimist
.
Issue Analytics
- State:
- Created 4 years ago
- Reactions:36
- Comments:19
Top Results From Across the Web
Auditing package dependencies for security vulnerabilities
Running npm audit will produce a report of security vulnerabilities with the affected package name, vulnerability severity and description, path, ...
Read more >Moderate severity vulnerabilities due to minimist
I'm running into a huge number of vulnerabilities. There are 583 vulnerabilities all associated with the package minimist.
Read more >Moderate Severity Vulnerabilities Due To Minimist - ADocLib
Moderate Prototype Pollution Package minimist Patched in >1.2.3 Dependency found 302 moderate severity vulnerabilities in 918863 scanned packages 302. npm audit ...
Read more >Fixing security vulnerabilities in npm dependencies in less ...
2.1) To fix any dependency, you need to first know which npm package depends on that. npm audit. This will tell you the...
Read more >sashkopavlenko/serverless-plugin-static - Travis CI
dependabot/npm_and_yarn/minimist-1.2.6 Bump minimist from 1.2.5 to 1.2.6. Bumps [minimist](https://github.com/substack/minimist) from 1.2.5 ...
Read more >Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start FreeTop Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
Top GitHub Comments
It appears like they’ve closed the issue. Does that mean it’s done? The only resolution they gave at the end only applies to Yarn users and requires the user to manually do something. What about NPM users? And shouldn’t this be a fix that is automatic and just happens when updating to the latest packages?
After recommended fix - “Change your
package.json
files to"react-scripts": "^3.4.0"
, and then runnpm install
” - I still have 583 low severity vulnerabilities