Skip to content

yargs-parser vulnerability (@vue/cli-plugin-unit-jest > ts-jest > yargs-parser ) #6160

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
grouchal opened this issue Dec 21, 2020 · 2 comments
Closed

yargs-parser vulnerability (@vue/cli-plugin-unit-jest > ts-jest > yargs-parser ) #6160

grouchal opened this issue Dec 21, 2020 · 2 comments

Comments

@grouchal
Copy link

grouchal commented Dec 21, 2020
edited
Loading

Version

4.5.9

Reproduction link

no

Environment info


Environment Info:

  System:
    OS: macOS 11.1
    CPU: (12) x64 Intel(R) Core(TM) i7-9750H CPU @ 2.60GHz
  Binaries:
    Node: 15.4.0 - /usr/local/bin/node
    npm: 6.14.9 - /usr/local/bin/npm
  Browsers:
    Chrome: 87.0.4280.88
    Edge: 87.0.664.66
    Firefox: 82.0
    Safari: 14.0.2
  npmPackages:
    @graphql-codegen/typescript: 1.2.0 => 1.2.0 
    @storybook/vue: 6.1.11 => 6.1.11 
    @vue/babel-helper-vue-jsx-merge-props:  1.2.1 
    @vue/babel-helper-vue-transform-on:  1.0.0-rc.2 
    @vue/babel-plugin-jsx:  1.0.0-rc.5 
    @vue/babel-plugin-transform-vue-jsx:  1.2.1 
    @vue/babel-preset-app:  4.5.9 
    @vue/babel-preset-jsx:  1.2.4 
    @vue/babel-sugar-composition-api-inject-h:  1.2.1 
    @vue/babel-sugar-composition-api-render-instance:  1.2.4 
    @vue/babel-sugar-functional-vue:  1.2.2 
    @vue/babel-sugar-inject-h:  1.2.2 
    @vue/babel-sugar-v-model:  1.2.3 
    @vue/babel-sugar-v-on:  1.2.3 
    @vue/cli: 4.5.9 => 4.5.9 
    @vue/cli-overlay:  4.5.9 
    @vue/cli-plugin-babel: 4.5.9 => 4.5.9 
    @vue/cli-plugin-eslint: 4.5.9 => 4.5.9 
    @vue/cli-plugin-router:  4.5.9 
    @vue/cli-plugin-typescript: 4.5.9 => 4.5.9 
    @vue/cli-plugin-unit-jest: 4.5.9 => 4.5.9 
    @vue/cli-plugin-vuex:  4.5.9 
    @vue/cli-service: 4.5.9 => 4.5.9 
    @vue/cli-shared-utils:  4.5.9 
    @vue/cli-ui:  4.5.9 
    @vue/cli-ui-addon-webpack:  4.5.9 
    @vue/cli-ui-addon-widgets:  4.5.9 
    @vue/compiler-core:  3.0.0 (3.0.4)
    @vue/compiler-dom:  3.0.0 (3.0.4)
    @vue/compiler-sfc:  3.0.0 
    @vue/compiler-ssr:  3.0.0 
    @vue/component-compiler-utils:  3.2.0 (3.0.2)
    @vue/eslint-config-typescript: 5.0.2 => 5.0.2 
    @vue/preload-webpack-plugin:  1.1.2 
    @vue/reactivity:  3.0.4 
    @vue/runtime-core:  3.0.4 
    @vue/runtime-dom:  3.0.4 
    @vue/shared:  3.0.0 (3.0.4)
    @vue/test-utils: 1.0.0-beta.29 => 1.0.0-beta.29 
    @vue/web-component-wrapper:  1.2.0 
    apollo-storybook-vue: 0.0.6 => 0.0.6 
    babel-helper-vue-jsx-merge-props:  2.0.3 
    babel-plugin-transform-vue-jsx:  3.7.0 
    babel-preset-vue: 2.0.2 => 2.0.2 
    eslint-plugin-vue: 6.2.2 => 6.2.2 
    jest-serializer-vue:  2.0.2 
    portal-vue: 2.1.4 => 2.1.4 
    typescript: 3.7.5 => 3.7.5 (3.9.7)
    vue: 2.6.10 => 2.6.10 (2.6.12, 3.0.4)
    vue-apollo: 3.0.0-beta.30 => 3.0.0-beta.30 
    vue-autosuggest: 1.8.3 => 1.8.3 
    vue-clamp: 0.3.0 => 0.3.0 
    vue-class-component: 6.3.2 => 6.3.2 
    vue-cli-plugin-apollo: 0.22.2 => 0.22.2 (0.21.3)
    vue-codemod:  0.0.4 
    vue-custom-element: 3.2.6 => 3.2.6 
    vue-docgen-api:  4.34.2 
    vue-docgen-loader:  1.5.0 
    vue-eslint-parser:  7.0.0 
    vue-hot-reload-api:  2.3.4 
    vue-inbrowser-compiler-utils:  4.33.6 
    vue-jest:  3.0.7 
    vue-loader: 15.7.2 => 15.7.2 (16.1.2, 15.9.6)
    vue-match-heights: 0.1.1 => 0.1.1 
    vue-property-decorator: 7.3.0 => 7.3.0 
    vue-router: 3.3.4 => 3.3.4 
    vue-style-loader: 4.1.2 => 4.1.2 
    vue-template-compiler: 2.6.10 => 2.6.10 (2.6.12)
    vue-template-es2015-compiler:  1.9.1 
    vue2-touch-events: 2.3.2 => 2.3.2 
    vuex: 3.1.1 => 3.1.1 
    vuex-class: 0.3.2 => 0.3.2 
    vuex-module-decorators: 0.9.9 => 0.9.9 
    vuex-persistedstate: 2.5.4 => 2.5.4 
  npmGlobalPackages:
    @vue/cli: Not Found

Steps to reproduce

Include @vue/cli-plugin-unit-jest version 4.5.9 in the dependencies of a package.json. Run npm I then npm audit.

What is expected?

Audit fails

What is actually happening?

Audit should pass
@grouchal grouchal mentioned this issue Dec 21, 2020
Closed
@grouchal
Copy link
Author

Info from audit with version 4.5.9

┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low           │ Prototype Pollution                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ yargs-parser                                                 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=13.1.2 <14.0.0 || >=15.0.1 <16.0.0 || >=18.1.2             │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ @vue/cli-plugin-unit-jest [dev]                              │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ @vue/cli-plugin-unit-jest > ts-jest > yargs-parser           │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/1500                            │
└───────────────┴──────────────────────────────────────────────────────────────┘

@haoqunjiang
Copy link
Member

Duplicate of #5573 (comment)

Fixed in v5.0.0-alpha.0

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@grouchal @haoqunjiang