New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Minimist CVE #1330

Closed

Kevin-Molina opened this issue Mar 21, 2022 · 1 comment

Labels

needs triage stale

Kevin-Molina commented Mar 21, 2022 •

edited

Generator has a dependency on minimist v1.2.5 that's got a CVE blocking deployments for a lot of folks.

From https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44906 -
Minimist <=1.2.5 is vulnerable to Prototype Pollution via file index.js, function setKey() (lines 69-95).

Current version 1.2.5 - https://github.com/yeoman/generator/blob/main/package.json#L70
Conversation on minimist repo about the CVE here about possible fixes - https://github.com/substack/minimist/issues/164

The text was updated successfully, but these errors were encountered:

Kevin-Molina added the needs triage label

Contributor

github-actions bot commented Apr 21, 2022

This issue is stale because it has been open with no activity. Remove stale label or comment or this will be closed

github-actions bot added the stale label

github-actions bot closed this as completed

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment