npm audit errors on 15.0.1 (master) following npm audit fix #1315

aral · 2020-05-19T14:21:40Z

Link to bug demonstration repository

Expected Behavior

npm audit does not return any errors (the policy here appears to be that it doesn’t return any errors after an npm audit fix, which is the case here).

Observed Behavior

                       === npm audit security report ===                        
                                                                                
# Run  npm install --save-dev standard-version@8.0.0  to resolve 1 vulnerability
SEMVER WARNING: Recommended action is a potentially breaking change
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low           │ Prototype Pollution                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ yargs-parser                                                 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ standard-version [dev]                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ standard-version > yargs > yargs-parser                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/1500                            │
└───────────────┴──────────────────────────────────────────────────────────────┘


┌──────────────────────────────────────────────────────────────────────────────┐
│                                Manual Review                                 │
│            Some vulnerabilities require your attention to resolve            │
│                                                                              │
│         Visit https://go.npm.me/audit-guide for additional guidance          │
└──────────────────────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low           │ Prototype Pollution                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ yargs-parser                                                 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=13.1.2 <14.0.0 || >=15.0.1 <16.0.0 || >=18.1.2             │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ standard-version [dev]                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ standard-version > conventional-recommended-bump >           │
│               │ git-semver-tags > meow > yargs-parser                        │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/1500                            │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low           │ Prototype Pollution                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ yargs-parser                                                 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=13.1.2 <14.0.0 || >=15.0.1 <16.0.0 || >=18.1.2             │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ standard-version [dev]                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ standard-version > git-semver-tags > meow > yargs-parser     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/1500                            │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low           │ Prototype Pollution                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ yargs-parser                                                 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=13.1.2 <14.0.0 || >=15.0.1 <16.0.0 || >=18.1.2             │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ standard-version [dev]                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ standard-version > conventional-recommended-bump > meow >    │
│               │ yargs-parser                                                 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/1500                            │
└───────────────┴──────────────────────────────────────────────────────────────┘
found 4 low severity vulnerabilities in 895 scanned packages
  1 vulnerability requires semver-major dependency updates.
  3 vulnerabilities require manual review. See the full report for details.

Troubleshooting steps

git clone https://github.com/istanbuljs/nyc.git
npm audit fix
npm audit

Environment Information

  System:
    OS: Linux 5.4 Pop!_OS 20.04 LTS
    CPU: (8) x64 Intel(R) Core(TM) i7-8550U CPU @ 1.80GHz
    Memory: 1.76 GB / 15.35 GB
  Binaries:
    Node: 12.16.2 - ~/.nvm/versions/node/v12.16.2/bin/node
    Yarn: 1.22.4 - /usr/bin/yarn
    npm: 6.14.4 - ~/.nvm/versions/node/v12.16.2/bin/npm
  npmPackages:
    istanbul-lib-coverage: ^3.0.0 => 3.0.0 
    istanbul-lib-hook: ^3.0.0 => 3.0.0 
    istanbul-lib-instrument: ^4.0.0 => 4.0.1 
    istanbul-lib-processinfo: ^2.0.2 => 2.0.2 
    istanbul-lib-report: ^3.0.0 => 3.0.0 
    istanbul-lib-source-maps: ^4.0.0 => 4.0.0 
    istanbul-reports: ^3.0.2 => 3.0.2 
    source-map-support: ^0.5.16 => 0.5.16

The text was updated successfully, but these errors were encountered:

coreyfarrell · 2020-05-19T14:51:08Z

npm install nyc does not produce any audit errors, only during npm install from the git repo. This is a via a deep development dependency and it's outside our control. #1314 updates standard-version to latest and refreshes the package-lock.json but this is all that can be done here.

I'm closing this issue as it is does not effect the published package and nothing can be done about it. For your piece of mind this is a false vulnerability report, one of many reported by Snyk lately. They assert that if you run standard-version --foo.__proto__.bar baz the addition of the bar property to all objects demonstrates a vulnerability. Anyone who has access to run CLI arguments can set NODE_OPTIONS=--require=/path/to/hijack-prototype.js even with the yargs-parser "vulnerability" fixed.

aral · 2020-05-19T15:39:21Z

Ah, sorry, should have checked the pull requests. Thanks for the explanation.

coreyfarrell closed this as completed May 19, 2020

coreyfarrell mentioned this issue May 19, 2020

WIP: Fix npm security warnings #1316

Closed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

npm audit errors on 15.0.1 (master) following npm audit fix #1315

npm audit errors on 15.0.1 (master) following npm audit fix #1315

aral commented May 19, 2020

coreyfarrell commented May 19, 2020

aral commented May 19, 2020

npm audit errors on 15.0.1 (master) following npm audit fix #1315

npm audit errors on 15.0.1 (master) following npm audit fix #1315

Comments

aral commented May 19, 2020

Link to bug demonstration repository

Expected Behavior

Observed Behavior

Troubleshooting steps

Environment Information

coreyfarrell commented May 19, 2020

aral commented May 19, 2020