[CVE/Security] CVE-2021-44906, minimist, in npm v6

[mrbusche]

A critically rated CVE, CVE-2021-44906, is present in npm v6, minimist version 1.2.5 is vulnerable and the issue is fixed in 1.2.6.

I'm happy to submit a new package-lock.json after running npm audit fix. Doesn't look like any other files need updated based on the history of package-lock.json on v6 branch.

[ljharb]

Prototype pollution attacks in a command line parser aren’t a vulnerability, because the only person you can attack is yourself. While it’s fine if npm updates this, it’s a false positive that users should ignore.

[mrbusche]

Prototype pollution attacks in a command line parser aren’t a vulnerability, because the only person you can attack is yourself. While it’s fine if npm updates this, it’s a false positive that users should ignore.

Agreed, but it's getting flagged in the node:14 docker image and my company prevents containers from starting with critical CVE's after a certain period. Likely easier to fix in node vs getting an exception.

[ljharb]

Given that npm 6 is EOL, i wouldn’t expect so - if your security team won’t give exceptions to invalid CVEs (which is “most of them” in the JS ecosystem) then you have bigger problems, unfortunately.

[darcyclarke]

@ljharb / @mrbusche we'll do our best here to ship a v6 version with as many updates to deps (ideally resolving any warnings or vuln reports) this week. I've already personally begun to look into this & should be able to report back by EOW.

[darcyclarke]

Update: @mrbusche, @ruyadorno from our team just cut a new v6 (v6.14.17) which should address all of the critical CVEs flagged including minimist's CVE-2021-44906 (notably, this version of npm should get shipped in the next v14 release). You can get this release today by running npm i -g npm@6.

That said, there are still some lingering "high" severity vulns we cannot update unfortunately (their associated with transitive deps that were not patched within a semver range we can update to without breaking changes). This will likely get worse over time as more dependencies stop supporting legacy versions of their packages that supported unmaintained versions of Node. I'd suggest to you, and anyone else reading, to try to upgrade to v8 as soon as possible.

[mrbusche]

Update: @mrbusche, @ruyadorno from our team just cut a new v6 (v6.14.17) which should address all of the critical CVEs flagged including minimist's CVE-2021-44906 (notably, this version of npm should get shipped in the next v14 release). You can get this release today by running npm i -g npm@6.

That said, there are still some lingering "high" severity vulns we cannot update unfortunately (their associated with transitive deps that were not patched within a semver range we can update to without breaking changes). This will likely get worse over time as more dependencies stop supporting legacy versions of their packages that supported unmaintained versions of Node. I'd suggest to you, and anyone else reading, to try to upgrade to v8 as soon as possible.

Appreciate the update. Not your issues/concern but hoping Amazon releases a v16 lambda image soon, otherwise we'll end up forcing an update to v8.