Skip to content

Prototype Pollution via ts-jest > yargs-parser #5573

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
msklvsk opened this issue Jun 12, 2020 · 7 comments
Closed

Prototype Pollution via ts-jest > yargs-parser #5573

msklvsk opened this issue Jun 12, 2020 · 7 comments
Labels
semver: major upstream

Comments

@msklvsk
Copy link

msklvsk commented Jun 12, 2020
edited
Loading

Version

4.4.1

Environment info

System:
    OS: macOS 10.15.4
    CPU: (12) x64 Intel(R) Core(TM) i7-8750H CPU @ 2.20GHz
  Binaries:
    Node: 13.12.0 - /usr/local/bin/node
    Yarn: 1.22.4 - /usr/local/bin/yarn
    npm: 6.14.4 - /usr/local/bin/npm
  Browsers:
    Chrome: 83.0.4103.97
    Firefox: 77.0.1
    Safari: 13.1
  npmPackages:
    @vue/cli-plugin-unit-jest: ^4.4.1 => 4.4.1 
    @vue/cli-shared-utils:  4.4.1 
    jest-serializer-vue:  2.0.2 
    vue-jest:  3.0.5 
    vue-template-es2015-compiler:  1.9.1 
  npmGlobalPackages:
    @vue/cli: 4.2.3

Steps to reproduce

npm i @vue/cli-plugin-unit-jest

What is expected?

“Found 0 vulnerabilities.”

What is actually happening?

┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low           │ Prototype Pollution                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ yargs-parser                                                 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=13.1.2 <14.0.0 || >=15.0.1 <16.0.0 || >=18.1.2             │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ @vue/cli-plugin-unit-jest [dev]                              │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ @vue/cli-plugin-unit-jest > ts-jest > yargs-parser           │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/1500                            │
└───────────────┴──────────────────────────────────────────────────────────────┘
@Chadys
Copy link

Chadys commented Jun 12, 2020
edited
Loading

Same issue on 4.4.3
More recent versions of ts-jest don't have that problem, the dependency to ts-jest should therefore be updated to v25.3.0 minimum (first version with a non-vulnerable dependency to yargs-parser).
See corresponding commit.

@haoqunjiang
Copy link
Member

Not possible in this major because that's a breaking change for Vue CLI.

And there is no actual vulnerability exposed to the end-users, because in ts-jest, yargs-parser is only used for parsing command-line arguments for the command ts-jest, such as ts-jest config:init, which, an end-user would never have the chance to call.

If you do need to circumvent the warning, you can use the resolutions field in package.json and npm-force-resolutions.

@Aaronm14
Copy link

Aaronm14 commented Jun 17, 2020
edited
Loading

Also having this issue (from this library and also laravel-mix).

I did as @sodatea suggested, which removed the warnings, not yet clear what kind of impact it might have to the libraries that depend on the problem versions. Seems okay so far.

In package.json:

...
"scripts": {
      "preinstall": "npx npm-force-resolutions",
},
"resolutions": {
    "yargs-parser": "15.0.1"
  },
...

@MakiOtaku
Copy link

MakiOtaku commented Jun 18, 2020
edited
Loading

Screen Shot 2020-06-19 at 12 17 48 AM

Same with @Aaronm14, originally my problem was just Laravel-mix but then I tried to just input what @msklvsk shared which is (npm i @vue/cli-plugin-unit-jest) and then a new error was added which is the (@vue/cli-plugin-unit-jest > ts-jest > yargs-parser). So I tried to do what @sodatea suggested, and same thing happened with Aaron, it removed the warnings but I'm really not sure what happened but it worked.

In package.json just copy what Aaronm14 inputed.

@fabrizioanichini
Copy link

I wonder what impact this vulnerability can have..for me the dependency is related to laravel-mix(4.1.4).
@sodatea , do you know if there are vulnerability exposed to the end-users in the laravel-mix scenario?

@lartheon
Copy link

Updated yargs-parser to 18.1.3 but I'm still seeing this vulnerability warning.

@lartheon
Copy link

Also having this issue (from this library and also laravel-mix).

I did as @sodatea suggested, which removed the warnings, not yet clear what kind of impact it might have to the libraries that depend on the problem versions. Seems okay so far.

In package.json:

...
"scripts": {
      "preinstall": "npx npm-force-resolutions",
},
"resolutions": {
    "yargs-parser": "15.0.1"
  },
...

This worked for me, this looks like the best work around for the time being

@lartheon lartheon mentioned this issue Aug 3, 2020
Closed
@haoqunjiang haoqunjiang mentioned this issue Dec 21, 2020
Closed
sindre-nistad added a commit to equinor/APS-Facies that referenced this issue Mar 11, 2024
@sindre-nistad
fix: Ignore vulnerability that cannot be upgraded
ac643a4 
Additionally, this vulnerability should not be able to touch the package using it (@vue/cli-plugin-unit-jest)
See vuejs/vue-cli#5573 for more
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
semver: major upstream
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
7 participants
@msklvsk @Aaronm14 @haoqunjiang @Chadys @fabrizioanichini @lartheon @MakiOtaku