Stuck on an issue?
Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
@quasar/app relies on minimist 1.2.5 but should be 1.2.6 due to security issues
See original GitHub issueWhat happened?
After an npm audit:
npm audit report
minimist <=1.2.5
Severity: high
Prototype Pollution in minimist - https://github.com/advisories/GHSA-xvch-5gv4-984h
No fix available
node_modules/minimist
@quasar/app *
Depends on vulnerable versions of minimist
node_modules/@quasar/app
2 high severity vulnerabilities
Some issues need review, and may require choosing
a different dependency.
What did you expect to happen?
That @quasar/app should use minimist@1.2.6
Reproduction URL
https://github.com/quasarframework/quasar/blob/dev/cli/package.json
How to reproduce?
npm initnpm install @quasar/appand then you get2 high severity vulnerabilitiesnpm audit
Step 3 shows:
# npm audit report
minimist <=1.2.5
Severity: high
Prototype Pollution in minimist - https://github.com/advisories/GHSA-xvch-5gv4-984h
No fix available
node_modules/minimist
@quasar/app *
Depends on vulnerable versions of minimist
node_modules/@quasar/app
2 high severity vulnerabilities
Flavour
Quasar CLI (@quasar/cli | @quasar/app)
Areas
Quasar CLI Commands/Configuration (@quasar/cli | @quasar/app)
Platforms/Browsers
Other
Quasar info output
No response
Relevant log output
No response
Additional context
No response
Issue Analytics
- State:
- Created a year ago
- Comments:6 (3 by maintainers)
Top Results From Across the Web
Node.js minimist security issue even with v1.2.5 - Stack Overflow
So I upgraded to minimist v1.2.5 but I'm still getting the security warning. Windows 10 pro; node: v13.11.0; npm: v6.14.3; express ...
Read more >Fixing security vulnerabilities in npm dependencies in less ...
2.1) To fix any dependency, you need to first know which npm package depends on that. npm audit. This will tell you the...
Read more >Prototype pollution vulnerability in minimist npm package - Snyk
This security vulnerability that manifests as prototype pollution, enables attackers to overwrite a JavaScript application object prototype.
Read more >How to fix Security Vulnerabilities in NPM Dependencies in 3 ...
2) But if that did not fix your issue, which for minimist did not fix for me, ... you need to first know...
Read more >Node.js, how to solve vulnerability issues? - YouTube
Node.js, how to solve vulnerability issues ? That is the question that we will give an answer on in this video. How can...
Read more >
Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free
Top Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
@rstoenescu thank you it worked after upgrading the @quasar/app to 3.3.3 and running your suggested command.
Package
@quasar/appdiverged to@quasar/app-viteand@quasar/app-webpack. Run commands below for the CLI to handle updates for you.