vulnerability in gulp 4.0.2
See original GitHub issueThe minimist needs to upgrade to >= 1.2.2
├─┬ gulp@4.0.2
│ └─┬ glob-watcher@5.0.3
│ └─┬ chokidar@2.1.6
│ └─┬ fsevents@1.2.9
│ └─┬ node-pre-gyp@0.12.0
│ ├─┬ mkdirp@0.5.1
│ │ └── minimist@0.0.8
│ └─┬ rc@1.2.8
│ └── minimist@1.2.0
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7598
Issue Analytics
- State:
- Created 4 years ago
- Reactions:3
- Comments:5 (2 by maintainers)
Top Results From Across the Web
gulp@4.0.2 - Snyk Vulnerability Database
Does your project rely on vulnerable package dependencies? Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities ( ...
Read more >node.js - What exactly do I do about gulp 4.0.2 dependency ...
1 Answer 1 · In other words, what you did to resolve vulnerabilities was switch to a package manager that doesn't tell you...
Read more >How to Fix Vulnerability Issues in Node.JS & Gulp with NPM ...
In this video I show you how to use NPM Override and NPM Audit Fix to resolve vulnerability issues in Node.JS, Gulp, or...
Read more >Componentpedia: gulp : 4.0.1 issues and vulnerabilities | Meterian ...
All the version of this component are vulnerable. Scan your application codebase with Meterian to see all known vulnerabilities in your open source...
Read more >gulp | Yarn - Package Manager
gulp. owner gulpjs5.8mMIT4.0.2DT · vulns 38 vulnerabilities. The streaming build system. build, stream, system, make ...
Read more >Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start FreeTop Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
Top GitHub Comments
Your npm audit gives no context and you probably need to look at using a better tool. Like contra said, these don’t effect us. In fact, minimist would only be used if you were directly running those dependencies as a command line tool, which you aren’t when you are using gulp.
Once mkdirp updates, the dependency will be pulled in automatically since we use semver - there isn’t really anything actionable for us to do about this. Run
npm update
after the relevant packages fix themselves.FWIW these
npm audit
warnings have no attack vector and I have always had an issue with how NPM/Snyk reports these “vulnerabilities”. We get reports for these all the time and 0 of them have ever had any real exploitability. I used to be a pentester for a living + have published a handful of CVEs so I take the security of my packages extremely seriously.