question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

vulnerability in gulp 4.0.2

See original GitHub issue

The minimist needs to upgrade to >= 1.2.2

├─┬ gulp@4.0.2 │ └─┬ glob-watcher@5.0.3 │ └─┬ chokidar@2.1.6 │ └─┬ fsevents@1.2.9 │ └─┬ node-pre-gyp@0.12.0 │ ├─┬ mkdirp@0.5.1 │ │ └── minimist@0.0.8 │ └─┬ rc@1.2.8 │ └── minimist@1.2.0

Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7598

Issue Analytics

  • State:closed
  • Created 4 years ago
  • Reactions:3
  • Comments:5 (2 by maintainers)

github_iconTop GitHub Comments

1reaction
phatedcommented, Mar 19, 2020

Your npm audit gives no context and you probably need to look at using a better tool. Like contra said, these don’t effect us. In fact, minimist would only be used if you were directly running those dependencies as a command line tool, which you aren’t when you are using gulp.

1reaction
yocontracommented, Mar 19, 2020

Once mkdirp updates, the dependency will be pulled in automatically since we use semver - there isn’t really anything actionable for us to do about this. Run npm update after the relevant packages fix themselves.

FWIW these npm audit warnings have no attack vector and I have always had an issue with how NPM/Snyk reports these “vulnerabilities”. We get reports for these all the time and 0 of them have ever had any real exploitability. I used to be a pentester for a living + have published a handful of CVEs so I take the security of my packages extremely seriously.

Read more comments on GitHub >

github_iconTop Results From Across the Web

gulp@4.0.2 - Snyk Vulnerability Database
Does your project rely on vulnerable package dependencies? Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities ( ...
Read more >
node.js - What exactly do I do about gulp 4.0.2 dependency ...
1 Answer 1 · In other words, what you did to resolve vulnerabilities was switch to a package manager that doesn't tell you...
Read more >
How to Fix Vulnerability Issues in Node.JS & Gulp with NPM ...
In this video I show you how to use NPM Override and NPM Audit Fix to resolve vulnerability issues in Node.JS, Gulp, or...
Read more >
Componentpedia: gulp : 4.0.1 issues and vulnerabilities | Meterian ...
All the version of this component are vulnerable. Scan your application codebase with Meterian to see all known vulnerabilities in your open source...
Read more >
gulp | Yarn - Package Manager
gulp. owner gulpjs5.8mMIT4.0.2DT · vulns 38 vulnerabilities. The streaming build system. build, stream, system, make ...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found