Prototype Pollution CVE from Minimist - Solution Pending

[zackdotcomputer]

Is there an existing issue for this?

• I have searched the existing issues

Current behavior

Currently, having the nest cli as a dependency causes a npm audit CVE for prototype pollution via minimist.

Minimum reproduction code

See steps below

Steps to reproduce

1. npm add -D @nestjs/cli (8.2.4)
2. npm audit

Expected behavior

No vulnerabilities that are reported as >= high.
As this is a devDependencies our CI/CD is blocked until this is not reported anymore, at least until it is lower as high.

Package version

8.2.4

NestJS version

8.4.2

Node.js version

14LTS

In which operating systems have you tested?

• macOS
• Windows
• Linux

Other

This CVE has been marked as fixed by the minimist team, and was incorporated into @angular/angular-cli in this PR which closed this issue that was tracking the CVE on their system while they awaited a fix.

Once the next version off Angular CLI is released (ETA 2 weeks according to that PR), @nest/cli should incorporate it to fix the audit.

[micalevisk]

duplicate #1579

[zackdotcomputer]

Yup this was reported by @Shinigami92 in #1579, but that issue was closed and locked without solving the CVE. I've duplicated that issue here since a fix is now imminently going to be available, though I think ideally we should keep an issue open on the repo so developers encountering the warning can see that the Nest team intends to fix it when the upstream dependencies make a fix available.

[micalevisk]

a hotfix would be using package manager override's feature like Yarn resolutions like this:

  "resolutions": {
    "minimist": "npm:minimist@^1.2.6"
  }

yarn audit won't report that vulnerabiliy anymore

yarn audit v1.22.17
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ moderate      │  Inefficient Regular Expression Complexity in                │
│               │ chalk/ansi-regex                                             │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ ansi-regex                                                   │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=5.0.1                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ commitizen                                                   │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ commitizen > inquirer > string-width > strip-ansi >          │
│               │ ansi-regex                                                   │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://www.npmjs.com/advisories/1064843                     │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ moderate      │  Inefficient Regular Expression Complexity in                │
│               │ chalk/ansi-regex                                             │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ ansi-regex                                                   │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=5.0.1                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ cz-conventional-changelog                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ cz-conventional-changelog > commitizen > inquirer >          │
│               │ string-width > strip-ansi > ansi-regex                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://www.npmjs.com/advisories/1064843                     │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ moderate      │  Inefficient Regular Expression Complexity in                │
│               │ chalk/ansi-regex                                             │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ ansi-regex                                                   │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=5.0.1                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ commitizen                                                   │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ commitizen > inquirer > strip-ansi > ansi-regex              │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://www.npmjs.com/advisories/1064843                     │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ moderate      │  Inefficient Regular Expression Complexity in                │
│               │ chalk/ansi-regex                                             │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ ansi-regex                                                   │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=5.0.1                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ cz-conventional-changelog                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ cz-conventional-changelog > commitizen > inquirer >          │
│               │ strip-ansi > ansi-regex                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://www.npmjs.com/advisories/1064843                     │
└───────────────┴──────────────────────────────────────────────────────────────┘
4 vulnerabilities found - Packages audited: 1220
Severity: 4 Moderate
Done in 1.78s.

[jmcdo29]

That issue was also closed because we have renovate and dependabot automatically create PRs to update our dependencies (especially for security updates) so we didn't see the need to keep it open at the moment. When either system creates the relevant PR (I believe it's dependabot for security) we'll link the issue to it so others can find the connection.

I'll close this as well, as it's pretty much the same situation. And thanks @micalevisk for the workaround for the time being.

[zackdotcomputer]

Ok - sounds like we use GH Issues differently but it's your repo so I'll let you drive.

Unfortunately vanilla npm doesn't support the resolutions object like yarn and I can't install a 3rd party npm plugin to hack it in, so I'll hang out waiting for dependabot to get around to creating the PR.

[micalevisk]

@zackdotcomputer with NPM v8+ you could use the overrides feat along with the GitHub URLs one to achieve the same:

"overrides": {
  "minimist": "substack/minimist-lite#semver:^1.2.6"
}

it worked here after rm -rf node_modules package-lock.json