Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Minimist vulnerability warning #22385

Closed
joshcummingsdesign opened this issue Mar 18, 2020 · 3 comments
Closed

Minimist vulnerability warning #22385

joshcummingsdesign opened this issue Mar 18, 2020 · 3 comments
Labels
stale? Issue that may be closed soon due to the original author not responding any more. type: upstream Issues outside of Gatsby's control, caused by dependencies

Comments

@joshcummingsdesign
Copy link

Description

Running yarn audit exposes a warning that the package "minimist" contains a vulnerability.

Steps to reproduce

Run yarn audit and see the following warnings:

┌───────────────┬──────────────────────────────────────────────────────────────┐
│ moderate      │ Prototype Pollution                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ minimist                                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=0.2.1 <1.0.0 || >=1.2.3                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ gatsby                                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ gatsby > eslint-loader > loader-fs-cache > mkdirp > minimist │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://www.npmjs.com/advisories/1179                        │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ moderate      │ Prototype Pollution                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ minimist                                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=0.2.1 <1.0.0 || >=1.2.3                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ gatsby-plugin-sharp                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ gatsby-plugin-sharp > potrace > jimp > @jimp/custom >        │
│               │ @jimp/core > mkdirp > minimist                               │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://www.npmjs.com/advisories/1179                        │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ moderate      │ Prototype Pollution                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ minimist                                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=0.2.1 <1.0.0 || >=1.2.3                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ gatsby-transformer-sharp                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ gatsby-transformer-sharp > potrace > jimp > @jimp/custom >   │
│               │ @jimp/core > mkdirp > minimist                               │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://www.npmjs.com/advisories/1179                        │
└───────────────┴──────────────────────────────────────────────────────────────┘

Expected result

yarn audit should pass.

Actual result

Running yarn audit returns the warnings seen above.

Environment

  System:
    OS: macOS Mojave 10.14.6
    CPU: (8) x64 Intel(R) Core(TM) i7-7820HQ CPU @ 2.90GHz
    Shell: 5.7.1 - /usr/local/bin/zsh
  Binaries:
    Node: 13.6.0 - /var/folders/jf/6k2zy_892gd_0g4154gjd98h0000gp/T/yarn--1584561310666-0.6658240286530168/node
    Yarn: 1.21.1 - /var/folders/jf/6k2zy_892gd_0g4154gjd98h0000gp/T/yarn--1584561310666-0.6658240286530168/yarn
    npm: 6.13.4 - ~/.asdf/installs/nodejs/13.6.0/bin/npm
  Languages:
    Python: 3.7.4 - /Users/josh/.asdf/shims/python
  Browsers:
    Chrome: 80.0.3987.132
    Firefox: 69.0.3
    Safari: 12.1.2
  npmPackages:
    gatsby: ^2.19.45 => 2.19.45
    gatsby-image: ^2.2.44 => 2.2.44
    gatsby-plugin-catch-links: ^2.1.28 => 2.1.28
    gatsby-plugin-emotion: ^4.1.25 => 4.1.25
    gatsby-plugin-manifest: ^2.2.48 => 2.2.48
    gatsby-plugin-offline: ^3.0.41 => 3.0.41
    gatsby-plugin-react-helmet: ^3.1.24 => 3.1.24
    gatsby-plugin-sharp: ^2.4.13 => 2.4.13
    gatsby-plugin-sitemap: ^2.2.30 => 2.2.30
    gatsby-remark-autolink-headers: ^2.1.26 => 2.1.26
    gatsby-remark-external-links: ^0.0.4 => 0.0.4
    gatsby-remark-prismjs: ^3.3.36 => 3.3.36
    gatsby-source-filesystem: ^2.1.56 => 2.1.56
    gatsby-transformer-remark: ^2.6.59 => 2.6.59
    gatsby-transformer-sharp: ^2.3.19 => 2.3.19
    gatsby-transformer-yaml: ^2.2.27 => 2.2.27
@joshcummingsdesign joshcummingsdesign added the type: bug An issue or pull request relating to a bug in Gatsby label Mar 18, 2020
@LekoArts LekoArts mentioned this issue Mar 23, 2020
Closed
@LekoArts LekoArts added type: upstream Issues outside of Gatsby's control, caused by dependencies and removed type: bug An issue or pull request relating to a bug in Gatsby labels Mar 23, 2020
@LekoArts
Copy link
Contributor

Hi, thanks for the issue!

There is nothing much we can do here, we'll have to wait for upstream packages to update their relevant packages. If it calms you down: The vulnerability won't affect the security of your live production site, we use eslint-loader for DX in gatsby develop.

@nikoladev nikoladev mentioned this issue Apr 3, 2020
Merged
@pieh pieh mentioned this issue Apr 4, 2020
Merged
@github-actions
Copy link

Hiya!

This issue has gone quiet. Spooky quiet. 👻

We get a lot of issues, so we currently close issues after 30 days of inactivity. It’s been at least 20 days since the last update here.
If we missed this issue or if you want to keep it open, please reply here. You can also add the label "not stale" to keep this issue open!
As a friendly reminder: the best way to see this issue, or any other, fixed is to open a Pull Request. Check out gatsby.dev/contribute for more information about opening PRs, triaging issues, and contributing!

Thanks for being a part of the Gatsby community! 💪💜

@github-actions github-actions bot added the stale? Issue that may be closed soon due to the original author not responding any more. label Apr 12, 2020
@LekoArts
Copy link
Contributor

If you do a gatsby new audit-test and a yarn audit you'll see that the vulnerabilities have been fixed in the meantime. So closing this.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
stale? Issue that may be closed soon due to the original author not responding any more. type: upstream Issues outside of Gatsby's control, caused by dependencies
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@joshcummingsdesign @LekoArts