Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Upgrade yargs to 16.0.0 to fix prototype pollution high vulnerability issue #10860

Closed
jjloneman opened this issue Nov 23, 2020 · 2 comments
Closed

Comments

@jjloneman
Copy link

🐛 Bug Report

I am unable to use react-scripts@4.0.1 for work due to a high vulnerability security issue with jest@26.6.3 pulling in yargs@15.4.1 (see https://snyk.io/test/npm/react-scripts/4.0.1)

Jest vulnerability report: https://snyk.io/test/npm/jest/26.6.3

Note: This also affects jest-circus@26.3.3 (https://snyk.io/test/npm/jest-circus/26.6.3)

To Reproduce

$ npx snyk test jest

Testing jest...

✗ High severity vulnerability found in y18n
  Description: Prototype Pollution
  Info: https://snyk.io/vuln/SNYK-JS-Y18N-1021887
  Introduced through: jest-cli@26.6.3, @jest/core@26.6.3
  From: jest-cli@26.6.3 > yargs@15.4.1 > y18n@4.0.0
  From: @jest/core@26.6.3 > jest-runtime@26.6.3 > yargs@15.4.1 > y18n@4.0.0
  From: @jest/core@26.6.3 > jest-runner@26.6.3 > jest-runtime@26.6.3 > yargs@15.4.1 > y18n@4.0.0
  and 15 more...



Organization:      jjloneman
Package manager:   npm
Open source:       yes
Project path:      jest

Tested jest for known vulnerabilities, found 1 vulnerability, 18 vulnerable paths.

Expected behavior

No vulnerabilities.

Link to repl or repo (highly encouraged)

jest vulnerability output from https://snyk.io/test/npm/jest/26.6.3:

Prototype Pollution

Vulnerable module: y18n

  • Introduced through: jest-cli@26.6.3 and @jest/core@26.6.3

Detailed paths

  • Introduced through: jest@26.6.3 › jest-cli@26.6.3 › yargs@15.4.1 › y18n@4.0.0
  • Introduced through: jest@26.6.3 › @jest/core@26.6.3 › jest-runtime@26.6.3 › yargs@15.4.1 › y18n@4.0.0
  • Introduced through: jest@26.6.3 › @jest/core@26.6.3 › jest-runner@26.6.3 › jest-runtime@26.6.3 › yargs@15.4.1 › y18n@4.0.0
  • Introduced through: jest@26.6.3 › jest-cli@26.6.3 › @jest/core@26.6.3 › jest-runtime@26.6.3 › yargs@15.4.1 › y18n@4.0.0
  • Introduced through: jest@26.6.3 › @jest/core@26.6.3 › jest-config@26.6.3 › @jest/test-sequencer@26.6.3 › jest-runtime@26.6.3 › yargs@15.4.1 › y18n@4.0.0
  • Introduced through: jest@26.6.3 › jest-cli@26.6.3 › jest-config@26.6.3 › @jest/test-sequencer@26.6.3 › jest-runtime@26.6.3 › yargs@15.4.1 › y18n@4.0.0
  • Introduced through: jest@26.6.3 › @jest/core@26.6.3 › jest-config@26.6.3 › jest-jasmine2@26.6.3 › jest-runtime@26.6.3 › yargs@15.4.1 › y18n@4.0.0
  • Introduced through: jest@26.6.3 › jest-cli@26.6.3 › jest-config@26.6.3 › jest-jasmine2@26.6.3 › jest-runtime@26.6.3 › yargs@15.4.1 › y18n@4.0.0
  • Introduced through: jest@26.6.3 › jest-cli@26.6.3 › @jest/core@26.6.3 › jest-runner@26.6.3 › jest-runtime@26.6.3 › yargs@15.4.1 › y18n@4.0.0
  • Introduced through: jest@26.6.3 › @jest/core@26.6.3 › jest-config@26.6.3 › @jest/test-sequencer@26.6.3 › jest-runner@26.6.3 › jest-runtime@26.6.3 › yargs@15.4.1 › y18n@4.0.0
  • Introduced through: jest@26.6.3 › jest-cli@26.6.3 › jest-config@26.6.3 › @jest/test-sequencer@26.6.3 › jest-runner@26.6.3 › jest-runtime@26.6.3 › yargs@15.4.1 › y18n@4.0.0
  • Introduced through: jest@26.6.3 › jest-cli@26.6.3 › @jest/core@26.6.3 › jest-config@26.6.3 › @jest/test-sequencer@26.6.3 › jest-runtime@26.6.3 › yargs@15.4.1 › y18n@4.0.0
  • Introduced through: jest@26.6.3 › @jest/core@26.6.3 › jest-runner@26.6.3 › jest-config@26.6.3 › @jest/test-sequencer@26.6.3 › jest-runtime@26.6.3 › yargs@15.4.1 › y18n@4.0.0
  • Introduced through: jest@26.6.3 › jest-cli@26.6.3 › @jest/core@26.6.3 › jest-config@26.6.3 › jest-jasmine2@26.6.3 › jest-runtime@26.6.3 › yargs@15.4.1 › y18n@4.0.0
  • Introduced through: jest@26.6.3 › @jest/core@26.6.3 › jest-runner@26.6.3 › jest-config@26.6.3 › jest-jasmine2@26.6.3 › jest-runtime@26.6.3 › yargs@15.4.1 › y18n@4.0.0
  • Introduced through: jest@26.6.3 › jest-cli@26.6.3 › @jest/core@26.6.3 › jest-config@26.6.3 › @jest/test-sequencer@26.6.3 › jest-runner@26.6.3 › jest-runtime@26.6.3 › yargs@15.4.1 › y18n@4.0.0
  • Introduced through: jest@26.6.3 › jest-cli@26.6.3 › @jest/core@26.6.3 › jest-runner@26.6.3 › jest-config@26.6.3 › @jest/test-sequencer@26.6.3 › jest-runtime@26.6.3 › yargs@15.4.1 › y18n@4.0.0
  • Introduced through: jest@26.6.3 › jest-cli@26.6.3 › @jest/core@26.6.3 › jest-runner@26.6.3 › jest-config@26.6.3 › jest-jasmine2@26.6.3 › jest-runtime@26.6.3 › yargs@15.4.1 › y18n@4.0.0

jest-circus vulnerability output from https://snyk.io/test/npm/jest-circus/26.6.3:

Prototype Pollution

Vulnerable module: y18n

  • Introduced through: jest-runtime@26.6.3 and jest-runner@26.6.3

Detailed paths

  • Introduced through: jest-circus@26.6.3 › jest-runtime@26.6.3 › yargs@15.4.1 › y18n@4.0.0
  • Introduced through: jest-circus@26.6.3 › jest-runner@26.6.3 › jest-runtime@26.6.3 › yargs@15.4.1 › y18n@4.0.0
  • Introduced through: jest-circus@26.6.3 › jest-runner@26.6.3 › jest-config@26.6.3 › @jest/test-sequencer@26.6.3 › jest-runtime@26.6.3 › yargs@15.4.1 › y18n@4.0.0
  • Introduced through: jest-circus@26.6.3 › jest-runner@26.6.3 › jest-config@26.6.3 › jest-jasmine2@26.6.3 › jest-runtime@26.6.3 › yargs@15.4.1 › y18n@4.0.0

envinfo

$ npx envinfo --preset jest

  System:
    OS: macOS 10.15.7
    CPU: (4) x64 Intel(R) Core(TM) i5-4258U CPU @ 2.40GHz
  Binaries:
    Node: 15.2.1 - /usr/local/bin/node
    npm: 7.0.12 - /usr/local/bin/npm
@SimenB
Copy link
Member

SimenB commented Nov 23, 2020

It's a breaking change to upgrade (see the revert in #10599). Jest 27 will have the update to v16

@github-actions
Copy link

This issue has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.
Please note this issue tracker is not a help forum. We recommend using StackOverflow or our discord channel for questions.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators May 11, 2021
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
Development

No branches or pull requests

2 participants