Minimist Vulnerability Found --> Coming from Shakapacker's gem yarn.lock file #105
Replies: 3 comments 2 replies
-
|
@justin808 are you able to provide any insights on this? |
Beta Was this translation helpful? Give feedback.
-
|
Looks like long chain of dependencies here. Will try and update peer dependencies versioning in the PR. Looks like it all starts with babel loader. In your app, you should be able to just upgrade minimist so the yarn.lock version gets locked to 1.2.6, this should be enough to plug this hole in your end (done that in my app). |
Beta Was this translation helpful? Give feedback.
-
|
thanks. I did that...just wanted to make sure folks were aware it might pop up on aws for everyone that uses the 6.0.0 gem. Happy coding! |
Beta Was this translation helpful? Give feedback.
-
|
Packages with vulnerability issues: async, minimist, gmp |
Beta Was this translation helpful? Give feedback.
-
|
Shakapacker uses minimist 1.2.6 for since April 2022 (#109) |
Beta Was this translation helpful? Give feedback.
-
Minimist <=1.2.5 is vulnerable to Prototype Pollution via file index.js, function setKey() (lines 69-95).
Will this be resolved in the next version of shakapacker, or if I upgrade from 6.0.0+
AWS Inspector -> file path: usr/local/bundle/gems/shakapacker-6.0.0/yarn.lock
Beta Was this translation helpful? Give feedback.
All reactions