[Apiiro] SCA OSS Vulnerabilities - Critical CVSS score · Critical Risk

[apiiro-staging]

the witch is dead

Discovered on: Mar 12, 2024 12:20
Dependency: minimist
Version: 0.0.8
Type: Sub dependency
Introduced through:

• ts-jest: 23.10.5 > mkdirp: 0.5.1 > minimist: 0.0.8
• ts-node-dev: 1.0.0-pre.32 > mkdirp: 0.5.1 > minimist: 0.0.8
• ts-node: 7.0.1 > mkdirp: 0.5.1 > minimist: 0.0.8
• typeorm: 0.2.11 > mkdirp: 0.5.1 > minimist: 0.0.8
• jest: 23.6.0 > jest-cli: 23.6.0 > istanbul-api: 1.3.7 > mkdirp: 0.5.1 > minimist: 0.0.8
• nodemon: 1.18.9 > chokidar: 2.0.4 > fsevents: 1.2.4 > node-pre-gyp: 0.10.3 > mkdirp: 0.5.1 > minimist: 0.0.8

Vulnerabilities

• Prototype Pollution in minimist with CVSS score 9.800000190734863. fixed version: 0.2.4
• Prototype Pollution in minimist with CVSS score 5.599999904632568. fixed version: 0.2.1
• Prototype Pollution in minimist with CVSS score 5.599999904632568. fixed version: 0.2.1
• Prototype Pollution in minimist with CVSS score 9.800000190734863. fixed version: 0.2.4

About this package:

External dependency: minimist - https://www.npmjs.com/package/minimist
Package details: parse argument options
Latest version: 1.2.8
License: MIT
Insights:

• Adequately tested - Testing practices are thoroughly followed
• Low maintainer count - This package is maintained by fewer than three developers which may indicate substantial risk.

Maintainers manage the code and ensure quality code, thus packages with a low maintainer count are more prone to suffer compromise or self-inflicted maliciousness

• Popularity - This package has many weekly downloads and high popularity scores
• Has vulnerabilities - One or more vulnerabilities have been reported for this package

Remediation

Upgrade the top level dependencies (Declared in: type-graphql-series-master@768d12cc9e3/yarn.lock) to change minimist 0.0.8 to the minimum required version minimist 1.2.6:

minimist: 0.0.8 -> 1.2.6
View in Apiiro