302 moderate severity vulnerabilities in npm audit due to minimist package

[sphingu]

Describe the bug

I have prepared new project with create-react-app. and then I have tried to run npm audit.
in that I got following output

Moderate        Prototype Pollution                                           
                                                                               
 Package         minimist                                                      
                                                                               
 Patched in      >=1.2.3                                                       
                                                                               
 Dependency of   react-scripts                                                 
                                                                               
 Path            react-scripts > webpack-dev-server > chokidar > fsevents >    
                 node-pre-gyp > rc > minimist                                  
                                                                               
 More info       https://npmjs.com/advisories/1179                             
                                                                               
found 302 moderate severity vulnerabilities in 918863 scanned packages
 302 vulnerabilities require manual review. See the full report for details.

Environment

package.json

"dependencies": {
    "@testing-library/jest-dom": "^4.2.4",
    "@testing-library/react": "^9.3.2",
    "@testing-library/user-event": "^7.1.2",
    "react": "^16.13.0",
    "react-dom": "^16.13.0",
    "react-scripts": "3.4.0"
  },

System npm and node version:

npm -v
6.14.2
node -v
v12.12.0

Expected behavior

It should use suggested updated version of package minimist.

[mdodge-ecgrow]

Same issue here, except mine says 583 low severity vulnerabilities.

But I'm just curious about something from looking at the path. Does this mean the rc package dependency needs to be updated? Or the react-scripts dependency? Or something else entirely?

[briannakeune]

Stopped by to say I'm also having the same issue with 583 low severity vulnerabilities.

[kbarnesweb]

@briannakeune @mdodge-ecgrow If you have 583 then you likely need to update react-scripts to 3.4.0.

Change your package.json files to "react-scripts": "^3.4.0", and then run npm install

I still have the 302 low-security vulnerabilities though.

[embeddedt]

I think this is a webpack issue. I don't use react-scripts and I see similar warnings about minimist. I tried updating webpack to no avail.

[phoqe]

#8663

[mdodge-ecgrow]

@kbarnesweb My current package.json says "react-scripts": "3.4.0". Would the missing caret affect that?

[ddd-37]

After recommended fix - "Change your package.json files to "react-scripts": "^3.4.0", and then run npm install" - I still have 583 low severity vulnerabilities

[kbarnesweb]

@ddd-37 The carrot shouldn't be the reason it works or not in this case. I tried updating jest and it fixed 300 of the 302 issues. If you want to recreate this:

Run
npm i jest@latest
Then, delete package-lock.json and node_modules folder.

Reinstall
npm install

[kbarnesweb]

@ddd-37 I believe the final 2 issues are due to mkdirp still using an old version of minimist. I'll post here if I find a fix.

[KerimG]

Can confirm.

With react-scripts and node-sass, I got a total of 283 low severity vulnerabilities and it's all minimist, which seems to be a dependency of mkdirp in all cases. Mkdirp is using an old version of minimist.

"mkdirp": {
      "version": "0.5.1",
      "resolved": "https://registry.npmjs.org/mkdirp/-/mkdirp-0.5.1.tgz",
      "integrity": "sha1-MAV0OOrGz3+MR2fzhkjWaX11yQM=",
      "requires": {
        "minimist": "0.0.8"
      },

Seems like a fix is underway, though.

isaacs/node-mkdirp#7

[mdodge-ecgrow]

It appears like they've closed the issue. Does that mean it's done? The only resolution they gave at the end only applies to Yarn users and requires the user to manually do something. What about NPM users? And shouldn't this be a fix that is automatic and just happens when updating to the latest packages?

[jwandekoken]

Also having this issue. In my case, i just created a new project and i have 2 "Prototype Pollution" low severity vulnerabilities. They are both due the package "minimist", which are dependency of "react-scripts".
They both point to https://www.npmjs.com/advisories/1179 for more info

[GodGardensGuns]

I ran into the same issue, although I'm using my own React boilerplate w/ Babel and Webpack, not create-react-app. Turns out the chokidar package was using an older version of minimist (and was likely outdated itself). Running npm install chokidar updated chokidar to the latest version that uses a current version of minimist.

[rossjs]

This appears to be fixed in ^3.4.1

install react-scripts@latest to solve this

[a-tonchev]

I still have it, even in 3.4.1, with yarn audit

[amit14apr]

Solution:
For npm users:

1. npm install minimist --save-dev
   eg: (minimist version: 1.2.5)

2. Add Resolution key adjacent to dependency key into package.json file
   {
   "resolutions": {
   "minimist": "^1.2.5"
   }
   }

3. Add below line inside script key into package.json
   example:
   "scripts": {
   "preinstall": "npx npm-force-resolutions"
   }

4. Remove node_modules, and then run command: npm install.

That's it. :)

[emilyfoxmusic]

I am also still getting this issue after upgrading to react-scripts 3.4.1. I've temporarily used @amit14apr's solution above, but it would be nice if it could be fixed at source.

Has this issue been incorrectly closed, or are we missing some required step to make it work?

[a-tonchev]

I still have it, even in 3.4.1, with yarn audit

After reinstalling node modules and yarn lock, everything works fine now. Thanks ;)

[alioguzhan]

• Upgrade react-scripts to 3.4.1 in package.json
• Remove yarn.lock file
• Perform a clean install with yarn install

To see if it is fixed, run npm ls minimist. It should be something like this: