Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Jest warns about a security vulnerability in minimist package (dependency)

See original GitHub issue

🐛 Bug Report

To Reproduce

Steps to reproduce the behavior: run npm audit with jest latest version installed

Expected behavior

npm does not report any security vulnerabilities when jest is defined in package.json.

Achievable if minimist is upgraded to >=1.2.3

Link to repl or repo (highly encouraged)

envinfo

    "testEnvironment": "node",
    "transform": {
      "^.+\\.tsx?$": "ts-jest"
    },
    "testRegex": "(/__tests__/.*|(\\.|/)(spec))\\.(tsx?)$",
    "collectCoverage": true,
    "coverageThreshold": {
      "global": {
        "branches": 100,
        "functions": 100,
        "lines": 100,
        "statements": 100
      }
    },
    "coverageReporters": [
      "text-summary",
      "html"
    ],
    "collectCoverageFrom": [
      "src/**/*.{ts,tsx}",
      "!**/node_modules/**"
    ],
    "reporters": [
      "default"
    ],
    "moduleFileExtensions": [
      "ts",
      "tsx",
      "js",
      "jsx",
      "json",
      "node"
    ],
    "setupFiles": [
      "<rootDir>/test/jest-setup.ts"
    ],
    "globals": {
      "ts-jest": {
        "diagnostics": false
      }
    }
  }```
<!--
Run npx envinfo --preset jest
Paste the results here:
-->

┌───────────────┬──────────────────────────────────────────────────────────────┐ │ Moderate │ Prototype Pollution │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Package │ minimist │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Patched in │ >=0.2.1 <1.0.0 || >=1.2.3 │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Dependency of │ jest [dev] │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Path │ jest > jest-cli > @jest/core > jest-runner > jest-config > │ │ │ jest-jasmine2 > expect > jest-message-util > │ │ │ @jest/test-result > @jest/transform > jest-haste-map > │ │ │ jest-util > mkdirp > minimist │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ More info │ https://npmjs.com/advisories/1179 │ └───────────────┴──────────────────────────────────────────────────────────────┘ ┌───────────────┬──────────────────────────────────────────────────────────────┐ │ Moderate │ Prototype Pollution │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Package │ minimist │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Patched in │ >=0.2.1 <1.0.0 || >=1.2.3 │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Dependency of │ jest [dev] │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Path │ jest > @jest/core > jest-config > jest-jasmine2 > expect > │ │ │ jest-message-util > @jest/test-result > @jest/transform > │ │ │ jest-haste-map > jest-util > mkdirp > minimist │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ More info │ https://npmjs.com/advisories/1179 │ └───────────────┴──────────────────────────────────────────────────────────────┘ ┌───────────────┬──────────────────────────────────────────────────────────────┐ │ Moderate │ Prototype Pollution │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Package │ minimist │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Patched in │ >=0.2.1 <1.0.0 || >=1.2.3 │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Dependency of │ jest [dev] │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Path │ jest > jest-cli > @jest/core > jest-config > jest-jasmine2 > │ │ │ expect > jest-message-util > @jest/test-result > │ │ │ @jest/transform > jest-haste-map > jest-util > mkdirp > │ │ │ minimist │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ More info │ https://npmjs.com/advisories/1179 │ └───────────────┴──────────────────────────────────────────────────────────────┘ ┌───────────────┬──────────────────────────────────────────────────────────────┐ │ Moderate │ Prototype Pollution │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Package │ minimist │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Patched in │ >=0.2.1 <1.0.0 || >=1.2.3 │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Dependency of │ jest [dev] │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Path │ jest > jest-cli > jest-config > jest-jasmine2 > expect > │ │ │ jest-message-util > @jest/test-result > @jest/transform > │ │ │ jest-haste-map > jest-util > mkdirp > minimist │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ More info │ https://npmjs.com/advisories/1179

Issue Analytics

State:
Created 4 years ago
Reactions:16
Comments:15

Top GitHub Comments

9reactions

rsuomelacommented, Mar 20, 2020

Removal of node_modules & package-lock.json, followed by running npm install and new npm audit seems to result in vulnerabilities being resolved!

7reactions

rsuomelacommented, Mar 19, 2020

Running npm uninstall --save-dev jest followed by npm install --save-dev jest@latest and finally running npm audit results in found 1509 low severity vulnerabilities in 1206982 scanned packages

Running npm audit after uninstalling jest results in found 13 low severity vulnerabilities in 3174 scanned packages

To me this still seems unresolved.