dredd icon indicating copy to clipboard operation
dredd copied to clipboard

Published 20 hours ago verified publisher icon apiaryio

Package dependency triggers NPM advisory (1179)

Open jsevedge opened this issue 4 years ago • 5 comments

Describe the bug

npm audit triggers an advisory from a tertiary dependency.

[
  {
    module: 'minimist',
    path: 'dredd>optimist>minimist',
    vulnerability: {
      id: 1179,
      url: 'https://npmjs.com/advisories/1179',
      recommendation: 'Upgrade to versions 0.2.1, 1.2.3 or later.'
    }
  }
]

To Reproduce

Run npm audit and observe vulnerability ID is listed

Expected behavior

npm audit should not list any vulnerabilities tied to this package (or it's dependencies)

What is in your dredd.yml?

N/A

What's your dredd --version output?

N/A

Does dredd --loglevel=debug uncover something?

N/A

Can you send us failing test in a Pull Request?

N/A

jsevedge avatar Feb 12 '21 19:02 jsevedge

FYI, it looks like optimist is deprecated (no new versions in 7 years) with a recommendation to use minimist instead.

jsevedge avatar Feb 12 '21 19:02 jsevedge

@abtris or another maintainer... looking for some guidance here. It appears optimist is used as the command line parser for this projects CLI, would you be open to a pull request where that is swapped out for a more current package (such as yargs, minimist, etc.)? Seems like swapping that out is the best way to get rid of this security alert for good. If not, any other suggestions?

jsevedge avatar May 25 '21 23:05 jsevedge

I see in Dependabot:

Dependabot cannot update minimist to a non-vulnerable version
The latest possible version that can be installed is 0.0.10 because of the following conflicting dependencies:

[email protected] requires minimist@^1.2.5 via a transitive dependency on [email protected]
[email protected] requires minimist@^1.2.0 via a transitive dependency on [email protected]
[email protected] requires minimist@^1.2.5 via a transitive dependency on [email protected]
[email protected] requires minimist@^1.1.3 via a transitive dependency on [email protected]
[email protected] requires minimist@^1.1.3 via a transitive dependency on [email protected]
The earliest fixed version is 0.2.1.

abtris avatar May 26 '21 10:05 abtris

@opichals @kuba-kubula any advise on this?

abtris avatar May 26 '21 10:05 abtris

I did some prior analysis in https://github.com/apiaryio/dredd/issues/1695#issuecomment-601151348 with suggestion on how to proceed. Looks like yargs as a replacement might be a bit problematic due to licensing (although this may have changed). Last I checked minimist shouldn't be much of a problem, and it's already in the dependency tree albeit an older version.

kylef avatar May 26 '21 12:05 kylef