Upgrade Dependency "minimist" to avoid prototype pollution security risk

[MixMasterT]

Version

4.2.3

Reproduction link

n/a

Environment info

This issue is present in all normal usage environments.

Steps to reproduce

This issue can be easily found using npm tooling. I am not sure how to identify it using yarn. Basically, just run "npm audit" or "npm audit --fix". The minimist package is recognized to have a prototype pollution vulnerability and it is recommended to move up to version 1.2.3 or higher.

What is expected?

No security vulnerabilities

What is actually happening?

npm flags vue-cli as harboring a moderate risk (prototype pollution) through the "minimist" dependency.

---

I tried to fix this myself, but was unable to push my code up for a PR. It should be as simple as updating the line in package.json. However tests will need to be run to ensure that doing so does not introduce any other problems.

[kaantureyyen]

Yup, same problem

[kaantureyyen]

Same issue is also present for @vue/cli-plugin-babel and @vue/cli-plugin-eslint

[bjkippax]

Same issue present for the following;

• @vue/cli-plugin-babel
• @vue/cli-service
• @vue/cli-plugin-eslint

https://npmjs.com/advisories/1179

[dosstx]

Same issue.

[haoqunjiang]

But the depended version is a caret range: "minimist": "^1.2.0". You should be able to fix it by cleaning up the cache, the lockfiles and then reinstalling.

[dosstx]

Can someone provide the exact steps on how to do this the right way?

[kaantureyyen]

Running npm audit, I can see that the problem is with the version of minimist that mkdirp uses. mkdirp is a sub dependency in all of the mentioned packages above.

[haoqunjiang]

• @vue/cli-plugin-eslint:
  • please update minimist due to prototype pollution (CVE-2020-7598) webpack-contrib/eslint-loader#316
  • mkdirp dependency on minimist has security vulnerability  viankakrisna/loader-fs-cache#5
• @vue/cli-plugin-unit-mocha, @vue/cli-plugin-e2e-cypress, chromedriver:
  • Update mkdirp for security max-mapper/extract-zip#85

I don't see how @vue/cli-service is affected.

The mocha and cypress ones are addressed in mochajs/mocha#4204 cypress-io/cypress#6726
But we can't upgrade now because they are only available in new major versions.

So please use the resolutions field in package.json for now.

• https://classic.yarnpkg.com/en/docs/selective-version-resolutions/
• https://www.npmjs.com/package/npm-force-resolutions

[dosstx]

The above workaround did work for me like so:

package.json:

"scripts": {
    "preinstall": "npx npm-force-resolutions",
......
}
  "resolutions": {
    "minimist": "1.2.3",
    "mkdir": "0.5.3"
  }

I then ran npm install .
I am no expert. If anyone has a better solution or any comments, let me know.