Minimist vulnerability CVE-2021-44906

[anirudhb-sf]

I'm submitting a ...

• bug report
• feature request
• support request or question => Please do not submit support request or questions here, see note at the top of this template.

What is the current behavior?

minimist: v1.2.5 brings in a security vulnerability which is currently has no fix. The following dependency chain makes node-config a vulnerable package: config@3.2.4 › json5@1.0.1 › minimist@1.2.5.

What is the expected behavior?

Request for a security fix to make config package free from security vulnerabilities.

[markstos]

I don't see how node-config is vulnerable due to this. minimist supplies CLI-parsing functionality to the json5 package, but node-config does not use the json5 CLI.

This looks like "not-a-bug" to me, but I'll welcome a patch to bump the version of the json5 dependency when one is available just to have a dependency tree free of vulnerabilities.

[anirudhb-sf]

@markstos I think we can close this issue as json5 has eliminated dependency on minimist with the closure of this issue in v2.2.1. Since node-config pulls in json5 as ^2.1.1 we should get in v2.2.1 of json5

[iblessedi]

I confirm that there is not an issue anymore. However older package may be cached and that's why you can see this issue. To fix this - remove node_modules folder, remove package-lock.json file and run npm i command again.

[leachjustin18]

I've also confirmed what @iblessedi said. Once I removed my node_moduels, package-lock.json, and re-ran npm install/yarn install, it fixed the issue.

[markstos]

I have pushed a commit to bump the version of json5 we require, to force upgrades to json5. I'm not putting out a new release today though since we aren't vulnerable, but I will if someone else has a problem with a related warning.