Skip to content

yargs-parser are vulnerable to prototype pollution in version 3.4.1 #8970

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
vikramdadwal opened this issue May 7, 2020 · 5 comments
Closed

yargs-parser are vulnerable to prototype pollution in version 3.4.1 #8970

vikramdadwal opened this issue May 7, 2020 · 5 comments
Labels
issue: bug report needs triage

Comments

@vikramdadwal
Copy link

vikramdadwal commented May 7, 2020
edited
Loading

Describe the bug

yargs-parser are vulnerable to prototype pollution in version 3.4.1

Expected behavior

should fix the security issue.

Actual behavior

yargs-parser are vulnerable to prototype pollution in version 3.4.1.
@ianschmitz
Copy link
Contributor

[email protected] doesn't exist.

@navidjh
Copy link

navidjh commented May 8, 2020

@ianschmitz I believe this issue is referring to react-scripts version 3.4.1 not yargs-parser.

-- [email protected]
+-- [email protected]
| -- [email protected]
| -- -- [email protected]
| -- -- -- [email protected]
-- [email protected]
-- -- [email protected]
-- -- -- [email protected]

@pzelnip
Copy link

pzelnip commented May 12, 2020

Why was this issue closed if the issue has not been fixed? react-scripts 3.4.1 is still vulnerable and will cause an npm audit to return non-zero:

Low Prototype Pollution 

Package yargs-parser 

Patched in >=13.1.2 <14.0.0 || >=15.0.1 <16.0.0 || >=18.1.2 

Dependency of react-scripts [dev] 

Path react-scripts > webpack-dev-server > yargs > yargs-parser 

More info https://npmjs.com/advisories/1500

@mhassan1
Copy link
Contributor

this has been resolved on master but not yet released: #8975

@pzelnip
Copy link

pzelnip commented May 13, 2020

Any sense of when that release will be?

@lock lock bot locked and limited conversation to collaborators May 20, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
issue: bug report needs triage
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@pzelnip @navidjh @ianschmitz @mhassan1 @vikramdadwal