Prototype Pollution in minimist | @angular-devkit/schematics-cli v13.3.0

[Shinigami92]

nestjs/nest-cli#1579

Blocking CI/CD in company project using @nestjs/cli

Prototype Pollution in minimist

> pnpm audit
┌─────────────────────┬───────────────────────────────────────────────────┐
│ high                │ Prototype Pollution in minimist                   │
├─────────────────────┼───────────────────────────────────────────────────┤
│ Package             │ minimist                                          │
├─────────────────────┼───────────────────────────────────────────────────┤
│ Vulnerable versions │ <=1.2.5                                           │
├─────────────────────┼───────────────────────────────────────────────────┤
│ Patched versions    │ <0.0.0                                            │
├─────────────────────┼───────────────────────────────────────────────────┤
│ More info           │ https://github.com/advisories/GHSA-xvch-5gv4-984h │
└─────────────────────┴───────────────────────────────────────────────────┘
1 vulnerabilities found
Severity: 1 high

> pnpm why minimist
Legend: production dependency, optional only, dev only

dependencies:
@nestjs/apollo 10.0.7
├─┬ @nestjs/core 8.4.2 peer
│ └─┬ @nestjs/platform-express 8.4.2 peer
│   └─┬ multer 1.4.4
│     └─┬ mkdirp 0.5.5
│       └── minimist 1.2.6
└─┬ @nestjs/graphql 10.0.7 peer
  └─┬ @nestjs/core 8.4.2 peer
    └─┬ @nestjs/platform-express 8.4.2 peer
      └─┬ multer 1.4.4
        └─┬ mkdirp 0.5.5
          └── minimist 1.2.6
@nestjs/core 8.4.2
└─┬ @nestjs/platform-express 8.4.2 peer
  └─┬ multer 1.4.4
    └─┬ mkdirp 0.5.5
      └── minimist 1.2.6
@nestjs/graphql 10.0.7
└─┬ @nestjs/core 8.4.2 peer
  └─┬ @nestjs/platform-express 8.4.2 peer
    └─┬ multer 1.4.4
      └─┬ mkdirp 0.5.5
        └── minimist 1.2.6
@nestjs/platform-express 8.4.2
└─┬ multer 1.4.4
  └─┬ mkdirp 0.5.5
    └── minimist 1.2.6

devDependencies:
@nestjs/cli 8.2.4
├─┬ @angular-devkit/schematics-cli 13.3.0
│ └── minimist 1.2.5
├─┬ tsconfig-paths 3.14.0
│ ├─┬ json5 1.0.1
│ │ └── minimist 1.2.6
│ └── minimist 1.2.6
└─┬ tsconfig-paths-webpack-plugin 3.5.2
  └─┬ tsconfig-paths 3.14.0
    ├─┬ json5 1.0.1
    │ └── minimist 1.2.6
    └── minimist 1.2.6
@nestjs/testing 8.4.2
├─┬ @nestjs/core 8.4.2 peer
│ └─┬ @nestjs/platform-express 8.4.2 peer
│   └─┬ multer 1.4.4
│     └─┬ mkdirp 0.5.5
│       └── minimist 1.2.6
└─┬ @nestjs/platform-express 8.4.2 peer
  └─┬ multer 1.4.4
    └─┬ mkdirp 0.5.5
      └── minimist 1.2.6
tsconfig-paths 3.14.0
├─┬ json5 1.0.1
│ └── minimist 1.2.6
└── minimist 1.2.6

[Shinigami92]

Temporary workaround => add this to package.json:

  // ...
  "pnpm": {
    "overrides": {
      "minimist@<=1.2.5": "1.2.6"
    }
  }

So at least this unblocks my CI

[alan-agius4]

It appears that 1.2.6 is still vulnerable https://snyk.io/test/npm/minimist/1.2.6

That said, it is important to point out that we don't expect the CLI to run in production environments where this vulnerability can be exploited.

[zackdotcomputer]

Filed with them: https://github.com/substack/minimist/issues/168

Agreed that this isn't a must-fix-right-away issue because its in a CLI, my main concern over on my project is that someone runs npm audit fix --force and winds up downgrading our use of @nestjs/cli (which depends on this repo) back a few years.