Some vulnerabilities require your attention to resolve - minimist

[fabiofilz]

Hi,

I am running a pipeline using the lambci/lambda:build-python3.6
The process install the packages/dependencies below:
yum install postgresql-dev gcc curl
curl -sL https://rpm.nodesource.com/setup_12.x | bash -
yum install -y nodejs
npm install -g serverless

After these steps when it executes sls to install serverless-python-requirements it works fine, but if it executes the npm install to install the same package version it returns a warning about vulnerabilities.

Could you please check it?

The logs are below

sh-4.2# sls plugin install -n [email protected]
Serverless: Installing plugin "[email protected]" (this might take a few seconds...)
Serverless: Successfully installed "[email protected]"
sh-4.2# cat package.json
{
"name": "processing",
"version": "1.0.0",
"description": "AWS Cost Data Processors",
"main": " ",
"scripts": {
"test": " "
},
"repository": {
"type": "git",
"url": " "
},
"keywords": [
"AWS",
"Cost",
"Custom"
],
"author": "Fabio",
"license": "ISC",
"devDependencies": {
"serverless-python-requirements": "^5.1.0"
}
}

If I execute npm install it returns a different result
sh-4.2# npm install
audited 62 packages in 1.643s

2 packages are looking for funding
run npm fund for details

found 1 moderate severity vulnerability
run npm audit fix to fix them, or npm audit for details

sh-4.2# npm audit

                   === npm audit security report ===

┌──────────────────────────────────────────┐
│ Manual Review │
│ Some vulnerabilities require your attention to resolve │
│ │
│ Visit https://go.npm.me/audit-guide for additional guidance │
└──────────────────────────────────────────┘
┌───────────────┬──────────────────────────┐
│ Moderate │ Prototype Pollution │
├───────────────┼──────────────────────────┤
│ Package │ minimist │
├───────────────┼──────────────────────────┤
│ Patched in │ >=0.2.1 <1.0.0 || >=1.2.3 │
├───────────────┼──────────────────────────┤
│ Dependency of │ serverless-python-requirements [dev] │
├───────────────┼──────────────────────────┤
│ Path │ serverless-python-requirements > glob-all > yargs > minimist │
├───────────────┼──────────────────────────│ More info │ https://npmjs.com/advisories/1179 │
└───────────────┴─────────────────────────┘
found 1 moderate severity vulnerability in 62 scanned packages
1 vulnerability requires manual review. See the full report for details.

Your Environment Information ---------------------------
Operating System: linux
Node Version: 12.16.1
Framework Version: 1.66.0
Plugin Version: 3.5.0
SDK Version: 2.3.0
Components Version: 2.22.3

sh-4.2# python --version
Python 3.6.10

Thanks,
Fabio

[miketheman]

Thanks for the report! As you can see from the audit report - the package is question is minimist - which is a dependency of yargs, which is a dependency of glob-all.

This plugin depends on glob-all directly, not the sub-dependencies - https://github.com/UnitedIncome/serverless-python-requirements/blob/b6529473c532ece2df36ca05eae27d80a2483967/package.json#L58

And yargs removed their dependency on minimist back in 2014 - yargs/yargs#33 - so it's unclear how this is surfacing on your use case.

I tried the exact same steps you detailed, and go no such warning, nor was minimist installed - so I'm confused how this appeared for you.

[miketheman]

You could try to provide some more details, like "how is minimist installed" - via an npm ls command, like this (I provided a yargs example, since there's no minimist installed in my case):

sh-4.2# npm ls yargs
[email protected] /var/task
└─┬ [email protected]
  └─┬ [email protected]
    └── [email protected]

sh-4.2# npm ls minimist
[email protected] /var/task
└── (empty)

[bsamuel-ui]

I concur with mike, and if yargs has fixed the issue, we're not affected.