Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

yargs-parser vulnerability #2438

Closed
nessor opened this issue May 1, 2020 · 1 comment
Closed

yargs-parser vulnerability #2438

nessor opened this issue May 1, 2020 · 1 comment

Comments

@nessor
Copy link

nessor commented May 1, 2020
edited

Hey guys,

npm is reporting a Prototype Pollution vulnerability on the yargs-parser dependency

Low Prototype Pollution
Package yargs-parser
Patched in >=13.1.2 <14.0.0 || >=15.0.1 <16.0.0 || >=18.1.2
Dependency of gulp-sass [dev]
Path gulp-sass > node-sass > sass-graph > yargs > yargs-parser
More info https://npmjs.com/advisories/1500
@yocontra
Copy link
Member

yocontra commented May 1, 2020
edited

Please use the search mechanism on the issue tracker before opening a ticket - we have answered this question probably 40 times.

  1. This "vulnerability" does not have any attack vector in our software.
  2. If you look at the path you have in your original comment, the yargs dependency is not even in our dependency chain. yargs is being included by sass-graph which is used by node-sass
  3. Most likely if this was patched in a patch release, you can just run npm upgrade to use the latest version. This is why semver exists so that everybody doesn't need to be constantly updating packages every time a dependency updates.

@yocontra yocontra closed this as completed May 1, 2020
@ehmicky ehmicky mentioned this issue May 2, 2020
Closed
@xtqqczze xtqqczze mentioned this issue May 2, 2020
Merged
14 tasks
Bradshaw pushed a commit to Bradshaw/gulp-do-merge that referenced this issue Apr 29, 2021
Updates resolve vulnerabilities found via npm audit
41fc255 
```
yargs-parser  <=13.1.1 || 14.0.0 - 15.0.0 || 16.0.0 - 18.1.1
Prototype Pollution - https://npmjs.com/advisories/1500
fix available via `npm audit fix --force`
Will install gulp@3.9.1, which is a breaking change
node_modules/yargs/node_modules/yargs-parser
  yargs  4.0.0-alpha1 - 12.0.5 || 14.1.0 || 15.0.0 - 15.2.0
  Depends on vulnerable versions of yargs-parser
  node_modules/yargs
    gulp-cli  >=2.0.0
    Depends on vulnerable versions of yargs
    node_modules/gulp-cli
      gulp  >=4.0.0
      Depends on vulnerable versions of gulp-cli
      node_modules/gulp

4 low severity vulnerabilities
```

there are still "low severity" vulnerabilities in yargs-parser used by gulp, which doesn't have an attack vector: gulpjs/gulp#2438 (comment)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@yocontra @nessor