Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[CVE/Security] CVE-2021-44906, minimist, in npm v6 #4799

Closed
mrbusche opened this issue Apr 25, 2022 · 6 comments
Closed

[CVE/Security] CVE-2021-44906, minimist, in npm v6 #4799

mrbusche opened this issue Apr 25, 2022 · 6 comments
Assignees
Labels
Release 6.x work is associated with a specific npm 6 release Security security related

Comments

@mrbusche
Copy link

A critically rated CVE, CVE-2021-44906, is present in npm v6, minimist version 1.2.5 is vulnerable and the issue is fixed in 1.2.6.

I'm happy to submit a new package-lock.json after running npm audit fix. Doesn't look like any other files need updated based on the history of package-lock.json on v6 branch.

@mrbusche mrbusche changed the title [BUG] CVE-2021-44906 in npm v6 [CVE/Security] CVE-2021-44906, minimist, in npm v6 Apr 25, 2022
@ljharb
Copy link
Contributor

ljharb commented Apr 25, 2022

Prototype pollution attacks in a command line parser aren’t a vulnerability, because the only person you can attack is yourself. While it’s fine if npm updates this, it’s a false positive that users should ignore.

@mrbusche
Copy link
Author

Prototype pollution attacks in a command line parser aren’t a vulnerability, because the only person you can attack is yourself. While it’s fine if npm updates this, it’s a false positive that users should ignore.

Agreed, but it's getting flagged in the node:14 docker image and my company prevents containers from starting with critical CVE's after a certain period. Likely easier to fix in node vs getting an exception.

@ljharb
Copy link
Contributor

ljharb commented Apr 25, 2022

Given that npm 6 is EOL, i wouldn’t expect so - if your security team won’t give exceptions to invalid CVEs (which is “most of them” in the JS ecosystem) then you have bigger problems, unfortunately.

@darcyclarke
Copy link
Contributor

@ljharb / @mrbusche we'll do our best here to ship a v6 version with as many updates to deps (ideally resolving any warnings or vuln reports) this week. I've already personally begun to look into this & should be able to report back by EOW.

@darcyclarke darcyclarke added Release 6.x work is associated with a specific npm 6 release Security security related labels Apr 25, 2022
@darcyclarke
Copy link
Contributor

darcyclarke commented Apr 28, 2022

Update: @mrbusche, @ruyadorno from our team just cut a new v6 (v6.14.17) which should address all of the critical CVEs flagged including minimist's CVE-2021-44906 (notably, this version of npm should get shipped in the next v14 release). You can get this release today by running npm i -g npm@6.

That said, there are still some lingering "high" severity vulns we cannot update unfortunately (their associated with transitive deps that were not patched within a semver range we can update to without breaking changes). This will likely get worse over time as more dependencies stop supporting legacy versions of their packages that supported unmaintained versions of Node. I'd suggest to you, and anyone else reading, to try to upgrade to v8 as soon as possible.

@mrbusche
Copy link
Author

Update: @mrbusche, @ruyadorno from our team just cut a new v6 (v6.14.17) which should address all of the critical CVEs flagged including minimist's CVE-2021-44906 (notably, this version of npm should get shipped in the next v14 release). You can get this release today by running npm i -g npm@6.

That said, there are still some lingering "high" severity vulns we cannot update unfortunately (their associated with transitive deps that were not patched within a semver range we can update to without breaking changes). This will likely get worse over time as more dependencies stop supporting legacy versions of their packages that supported unmaintained versions of Node. I'd suggest to you, and anyone else reading, to try to upgrade to v8 as soon as possible.

Appreciate the update. Not your issues/concern but hoping Amazon releases a v16 lambda image soon, otherwise we'll end up forcing an update to v8.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Release 6.x work is associated with a specific npm 6 release Security security related
Projects
None yet
Development

No branches or pull requests

4 participants