website icon indicating copy to clipboard operation
website copied to clipboard
verified publisher icon usds

Address Dependabot alert: Upgrade yargs-parser

Open LauraUSDS opened this issue 5 years ago • 6 comments

Fix the security issue explained here: https://github.com/usds/website/network/alert/package-lock.json/yargs-parser/open

LauraUSDS avatar Sep 17 '20 20:09 LauraUSDS

I was able to check that some of the outdated yargs/yargs-parser packages are updated, however Gulp and Gulp-CLI (both things that we use) are dependent on an outdated version of this.

The response from the folks that maintain Gulp is mostly, "this isn't that severe, we're going to fix this in a later version".

drew-usds avatar Sep 18 '20 03:09 drew-usds

Out of curiosity I tried nuking my node_modules and package-lock and started with a fresh npm install on my localhost. It cleared up the alert for me locally, however GH rejected the PR with the updated package-lock.

drew-usds avatar Sep 18 '20 04:09 drew-usds

I'm going to dismiss the alert for now to see if it'll fix current PRs that are breaking. We'll want to check back in on gulp/gulp-cli/yargs-parser later.

Here's GH's remediation recs for posterity:

Remediation
Upgrade yargs-parser to version 13.1.2 or later. For example:

"dependencies": {
  "yargs-parser": ">=13.1.2"
}
or…
"devDependencies": {
  "yargs-parser": ">=13.1.2"
}
Always verify the validity and compatibility of suggestions with your codebase.

Details
GHSA-p9pc-299p-vxgp
low severity
Vulnerable versions: < 13.1.2
Patched version: 13.1.2
Affected versions of yargs-parser are vulnerable to prototype pollution. Arguments are not properly sanitized, allowing an attacker to modify the prototype of Object, causing the addition or modification of an existing property that will exist on all objects.
Parsing the argument --foo.__proto__.bar baz' adds a bar property with value baz to all objects. This is only exploitable if attackers have control over the arguments being passed to yargs-parser.

Recommendation
Upgrade to versions 13.1.2, 15.0.1, 18.1.1 or later.

drew-usds avatar Sep 24 '20 20:09 drew-usds

@drew-usds Now that it's been a month, can you check to see if we can close this out by any chance? (yargs-parser for Gulp)

LauraUSDS avatar Oct 28 '20 19:10 LauraUSDS

@LauraUSDS Ah sorry, I'm realizing my updates on 9/17 and 9/24 weren't super clear ... the folks that maintain Gulp, the thing we use that's dependent on this old version of yargs-parser, aren't updating anything with this until their next version. We can't really do anything with this until then.

We've already suppressed the GitHub alert to fix some previous problems with breaking site builds. "Good" news is that this isn't a severe vulnerability and, according to the maintainers, won't affect production builds.

drew-usds avatar Oct 29 '20 16:10 drew-usds

@drew-usds Ah, ok. I didn't know how often Gulp updates so I'd set a reminder for a month later (ambitious? likely). I'll keep it on my list, but without a reminder date ;)

LauraUSDS avatar Oct 30 '20 17:10 LauraUSDS

i'm removing gulp

kategreenUSDS avatar Jan 09 '23 21:01 kategreenUSDS