dredd icon indicating copy to clipboard operation
dredd copied to clipboard

Published 20 hours ago verified publisher icon apiaryio

Address CVE in minimist<1.22, which is required via optimist

Open alex opened this issue 5 years ago • 2 comments

Describe the bug

CVE-2020-7598 impacts versions of minimist <1.2.2. dredd depends on optimist 0.6.1, which in turn depends on minimist 0.0.1. As a result of these dependencies, there is no way to use dredd without being impacted by this CVE.

To Reproduce

Create a package.json + package-lock.json depending on dredd. Put them in a github repo. Observe that Github sends you a security alert about this.

Expected behavior No security alert!

alex avatar Mar 18 '20 13:03 alex

Hi @alex,

Thanks for the clear report. Looks like optimist is deprecated/unmaintained and the original creator of optimist suggests just using minimist directly or yargs.

I think minimist is the approach we should take as it is a smaller maintained library which has no dependencies.

yargs on the other hand will be problematic for us to use as it has some older (possibly unmaintained) dependecies of its own:

[email protected]
License: MIT
Copyright Notifce: Copyright 2010 James Halliday ([email protected])
Dependencies: 26
Eligible for Pre-Approval: false

Description: yargs the modern, pirate-themed, successor to optimist.
Package: https://npmjs.com/package/yargs
Repository: https://github.com/yargs/yargs
Tarball: https://registry.apiary-internal.com/yargs/-/yargs-15.3.1.tgz


Old Dependencies: 2
[email protected] (MIT) - 18 months old (Fri Sep 21 2018)
[email protected] (MIT) - 49 months old (Sat Mar 05 2016)

I'm not sure how involved this would be, but looks like the use for optimist is relatively contained:

packages/dredd/lib/CLI.js:import optimist from 'optimist';
packages/dredd/lib/CLI.js:    this.optimist = optimist(this.custom.argv, this.custom.cwd);
packages/dredd/lib/CLI.js:    this.cliArgv = this.optimist.argv;
packages/dredd/lib/CLI.js:    this.optimist
packages/dredd/lib/CLI.js:    this.argv = this.optimist.argv;
packages/dredd/lib/CLI.js:      this.optimist.showHelp(console.error);
packages/dredd/lib/CLI.js:      this.optimist.showHelp(console.error);
packages/dredd/lib/CLI.js:    // from optimist's args
packages/dredd/package.json:    "optimist": "0.6.1",
packages/dredd/test/unit/CLI-test.js:    it('has argv property set to object with properties from optimist', () => {

Hopefully we can get to trying to replace optimist with minimist directly soon, but if anyone out there wants to try and collaborate to Dredd then let us know (so we don't duplicate any efforts).

kylef avatar Mar 19 '20 12:03 kylef

According to https://www.npmjs.com/package/optimist

  • the package maintainer has deprecated optimist in favour of minimist
  • the last release was 8 years ago

jonashdown avatar Dec 20 '21 17:12 jonashdown