create-react-app: 302 moderate severity vulnerabilities in npm audit due to minimist package

Describe the bug

I have prepared new project with create-react-app. and then I have tried to run npm audit. in that I got following output

Moderate        Prototype Pollution                                           
                                                                               
 Package         minimist                                                      
                                                                               
 Patched in      >=1.2.3                                                       
                                                                               
 Dependency of   react-scripts                                                 
                                                                               
 Path            react-scripts > webpack-dev-server > chokidar > fsevents >    
                 node-pre-gyp > rc > minimist                                  
                                                                               
 More info       https://npmjs.com/advisories/1179                             
                                                                               
found 302 moderate severity vulnerabilities in 918863 scanned packages
 302 vulnerabilities require manual review. See the full report for details.

Environment

package.json

"dependencies": {
    "@testing-library/jest-dom": "^4.2.4",
    "@testing-library/react": "^9.3.2",
    "@testing-library/user-event": "^7.1.2",
    "react": "^16.13.0",
    "react-dom": "^16.13.0",
    "react-scripts": "3.4.0"
  },

System npm and node version:

npm -v
6.14.2
node -v
v12.12.0

Expected behavior

It should use suggested updated version of package minimist.

About this issue

Original URL
State: closed
Created 4 years ago
Reactions: 36
Comments: 19

Most upvoted comments

It appears like they’ve closed the issue. Does that mean it’s done? The only resolution they gave at the end only applies to Yarn users and requires the user to manually do something. What about NPM users? And shouldn’t this be a fix that is automatic and just happens when updating to the latest packages?

mdodge-ecgrow on Mar 19, 2020

After recommended fix - “Change your package.json files to "react-scripts": "^3.4.0", and then run npm install” - I still have 583 low severity vulnerabilities

ddd-37 on Mar 19, 2020

This appears to be fixed in ^3.4.1

install react-scripts@latest to solve this

rossjs on Mar 31, 2020

Solution: For npm users:

npm install minimist --save-dev eg: (minimist version: 1.2.5)
Add Resolution key adjacent to dependency key into package.json file {
“resolutions”: { “minimist”: “^1.2.5” } }
Add below line inside script key into package.json example: “scripts”: { “preinstall”: “npx npm-force-resolutions” }
Remove node_modules, and then run command: npm install.

That’s it. 😃

amit14apr on Apr 6, 2020

I still have it, even in 3.4.1, with yarn audit

a-tonchev on Apr 3, 2020

Can confirm.

With react-scripts and node-sass, I got a total of 283 low severity vulnerabilities and it’s all minimist, which seems to be a dependency of mkdirp in all cases. Mkdirp is using an old version of minimist.

"mkdirp": {
      "version": "0.5.1",
      "resolved": "https://registry.npmjs.org/mkdirp/-/mkdirp-0.5.1.tgz",
      "integrity": "sha1-MAV0OOrGz3+MR2fzhkjWaX11yQM=",
      "requires": {
        "minimist": "0.0.8"
      },

Seems like a fix is underway, though.

https://github.com/isaacs/node-mkdirp/issues/7

KerimG on Mar 19, 2020

@ddd-37 The carrot shouldn’t be the reason it works or not in this case. I tried updating jest and it fixed 300 of the 302 issues. If you want to recreate this:

Run npm i jest@latest Then, delete package-lock.json and node_modules folder.

Reinstall npm install

kbarnesweb on Mar 19, 2020

I think this is a webpack issue. I don’t use react-scripts and I see similar warnings about minimist. I tried updating webpack to no avail.

embeddedt on Mar 19, 2020

Stopped by to say I’m also having the same issue with 583 low severity vulnerabilities.

briannakeune on Mar 18, 2020