Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

minimist Prototype Pollution vulnerability #62

Open
bytestream opened this issue Jun 13, 2020 · 6 comments
Open

minimist Prototype Pollution vulnerability #62

bytestream opened this issue Jun 13, 2020 · 6 comments

Comments

@bytestream
Copy link 

┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low           │ Prototype Pollution                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ minimist                                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=0.2.1 <1.0.0 || >=1.2.3                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ selectize                                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ selectize > sifter > optimist > minimist                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/1179                            │
└───────────────┴──────────────────────────────────────────────────────────────┘

https://github.com/substack/node-optimist is deprecated. The author seems to have no intention of maintaining the package.

I think optimist should be replaced with yargs which has all the same functionality - https://github.com/yargs/yargs/blob/master/docs/examples.md#even-more-shiver-me-timbers

Alternatively, optimist should be forked and minimist version bumped to 0.2.1.
@bytestream
Copy link
Author

Safest option is to probably ditch optimist and use minimist@0.2.1 directly

Comparison of current minimist version against suggested
https://github.com/substack/minimist/compare/0.0.10...0.2.1

@bunnymatic
Copy link

bunnymatic commented Jun 15, 2020
edited
Loading

I was looking into submitting a PR that replaced optimist with minimist. Would you, the owner, prefer yargs? Do you have a preference?

It does seem like minimist doesn't have all the same stuff. The first thing I see that's missing is the usage and describe methods. Those could certainly be handled but maybe yargs would be closer out of the box.

@bunnymatic bunnymatic mentioned this issue Jun 15, 2020
Closed
@oyejorge oyejorge mentioned this issue Aug 26, 2020
Closed
@sandstrom
Copy link

Another solution would be to move out the CLI (which most people doesn't use), see #58

@bytestream
Copy link
Author

For anyone who's given up the will to live with npm audit notifications which most over-stretched open source library maintainers would argue only affect node applications and not web applications, I would suggest to integrate https://github.com/naugtur/npm-audit-resolver#readme

Just be careful you don't accidentally turn a blind eye to a real vulnerability...

@acbramley
Copy link

GHSA-xvch-5gv4-984h the vulnerability is now a Critical.

@sandstrom
Copy link

For anyone looking at alternatives to Sifter, here are a few I've found:

@ConnorSheremeta ConnorSheremeta mentioned this issue Jul 6, 2023
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@sandstrom @bunnymatic @acbramley @bytestream