Stuck on an issue?
Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
Low Severity Vulnerability : Prototype Pollution in minimist.
See original GitHub issue
- Versions:
nodemon -v: 2.0.15node: 14.15.4- Operating system/terminal environment: Windows 10/ Vs code terminal (git bash in vs code)
- Using Docker? What image: none
- Command you ran: npm audit
Expected behaviour
found 0 vulnerabilities
Actual behaviour
found 2 vulnerabilities // I installed hbs (handlebars) package, after installing it, it directly showed two high vulnerabilities (one in hbs minimist, and one in nodemon minimist.
Steps to reproduce
If applicable, please append the --dump flag on your command and include the output here ensuring to remove any sensitive/personal details or tokens.
Issue Analytics
- State:
- Created 2 years ago
- Comments:8 (4 by maintainers)
Top Results From Across the Web
Prototype Pollution in minimist | CVE-2021-44906 | Snyk
Low severity (3.7) Prototype Pollution in minimist ... Snyk Learn. Learn about Prototype Pollution vulnerabilities in an interactive lesson.
Read more >Prototype Pollution in minimist · CVE-2021-44906
Minimist <=1.2.5 is vulnerable to Prototype Pollution via file index.js, function setKey() (lines 69-95).
Read more >CVE-2021-44906 Prototype Pollution in minimist
5 is vulnerable to Prototype Pollution via file index.js, function setKey() (lines 69-95). I don't know how to fix it. What should I...
Read more >Prototype Pollution in minimist
Minimist <=1.2.5 is vulnerable to Prototype Pollution via file index.js, function setKey() (lines...
Read more >CVE-2021-44906 - Remote Code Execution (RCE)
Minimist <=1.2.5 is vulnerable to Prototype Pollution via file index.js, ... we have rated the severity level for our products as low.
Read more >
Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free
Top Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
The reality is that there is an exceptionally slim chance of this vuln affecting you - iirc it can only be exploited through nodemon if you’re using someone else’s required version of nodemon (which you’ve not reported - i.e. you’re probably running nodemon directly).
I suspect you’ll see a minor bump in update-notifier or one of the downstream deps - and an
npm installwill automatically jump over the vulnerable package.All the same, I still want to remove update-notifier at some point soon.
For others on this thread, it’s always worth completely removing your node_modules and running
npm install(overnpm ci) in this specific case (I’m not 100% sure, but I think with yarn it’s a straight forwardyarnto do a clean reinstall). This will ensure you’re getting the latest requested nodemon deps, and should clear you out of the range where there’s a potential vulnerability in some deep dependency.