Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Some dependencies have a dependency on minimist that is not executed, but would be nice to update. #11149

Closed
mjziolko opened this issue Mar 17, 2020 · 4 comments
Closed

Some dependencies have a dependency on minimist that is not executed, but would be nice to update. #11149

mjziolko opened this issue Mar 17, 2020 · 4 comments

Comments

@mjziolko
Copy link
Contributor

Bug report

Describe the bug

Multiple security vulnerabilities associated with next dependencies.

Ex:

┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate      │ Prototype Pollution                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ minimist                                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=1.2.3                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ next                                                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ next > mkdirp > minimist                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/1179                            │
└───────────────┴──────────────────────────────────────────────────────────────┘

Next needs to update four packages to patch this vulnerability:

next > babel-loader > mkdirp > minimist
next > cache-loader > mkdirp > minimist
next > mkdirp > minimist
next > webpack > mkdirp > minimist

There are even more associated with webpack and its dependencies.

To Reproduce

  • Install nextjs in a project
  • npm audit
  • npm reports 10 moderate security vulnerabilities associated with next

Expected behavior

npm reports no security vulnerabilities associated with next

Screenshots

If applicable, add screenshots to help explain your problem.

System information

  • OS: macOS
  • Browser: N/A
  • Version of Next.js: 9.3.1
@timneutkens
Copy link
Member

Just to be clear. Next.js does not execute minimist from any of these packages. So there is no attack vector for any of these when using Next.js.

@timneutkens timneutkens changed the title 10 moderate security vulnerabilities reported by npm audit associated with next Some dependencies have a dependency on minimist that is not executed, but would be nice to update. Mar 18, 2020
@timneutkens
Copy link
Member

Updated the title to correctly reflect what is actually the case.

@timneutkens timneutkens mentioned this issue Mar 24, 2020
Closed
@Timer
Copy link
Member

Timer commented Sep 10, 2020

Closing as I don't see this anymore

@Timer Timer closed this as completed Sep 10, 2020
@balazsorban44
Copy link
Member

This issue has been automatically locked due to no recent activity. If you are running into a similar issue, please create a new issue with the steps to reproduce. Thank you.

@vercel vercel locked as resolved and limited conversation to collaborators Jan 29, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@Timer @timneutkens @mjziolko @balazsorban44