Prototype Pollution via ts-jest > yargs-parser

[msklvsk]

Version

4.4.1

Environment info

System:
    OS: macOS 10.15.4
    CPU: (12) x64 Intel(R) Core(TM) i7-8750H CPU @ 2.20GHz
  Binaries:
    Node: 13.12.0 - /usr/local/bin/node
    Yarn: 1.22.4 - /usr/local/bin/yarn
    npm: 6.14.4 - /usr/local/bin/npm
  Browsers:
    Chrome: 83.0.4103.97
    Firefox: 77.0.1
    Safari: 13.1
  npmPackages:
    @vue/cli-plugin-unit-jest: ^4.4.1 => 4.4.1 
    @vue/cli-shared-utils:  4.4.1 
    jest-serializer-vue:  2.0.2 
    vue-jest:  3.0.5 
    vue-template-es2015-compiler:  1.9.1 
  npmGlobalPackages:
    @vue/cli: 4.2.3

Steps to reproduce

npm i @vue/cli-plugin-unit-jest

What is expected?

“Found 0 vulnerabilities.”

What is actually happening?

┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low           │ Prototype Pollution                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ yargs-parser                                                 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=13.1.2 <14.0.0 || >=15.0.1 <16.0.0 || >=18.1.2             │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ @vue/cli-plugin-unit-jest [dev]                              │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ @vue/cli-plugin-unit-jest > ts-jest > yargs-parser           │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/1500                            │
└───────────────┴──────────────────────────────────────────────────────────────┘

[Chadys]

Same issue on 4.4.3
More recent versions of ts-jest don't have that problem, the dependency to ts-jest should therefore be updated to v25.3.0 minimum (first version with a non-vulnerable dependency to yargs-parser).
See corresponding commit.

[haoqunjiang]

Not possible in this major because that's a breaking change for Vue CLI.

And there is no actual vulnerability exposed to the end-users, because in ts-jest, yargs-parser is only used for parsing command-line arguments for the command ts-jest, such as ts-jest config:init, which, an end-user would never have the chance to call.

If you do need to circumvent the warning, you can use the resolutions field in package.json and npm-force-resolutions.

[Aaronm14]

Also having this issue (from this library and also laravel-mix).

I did as @sodatea suggested, which removed the warnings, not yet clear what kind of impact it might have to the libraries that depend on the problem versions. Seems okay so far.

In package.json:

...
"scripts": {
      "preinstall": "npx npm-force-resolutions",
},
"resolutions": {
    "yargs-parser": "15.0.1"
  },
...

[MakiOtaku]

Same with @Aaronm14, originally my problem was just Laravel-mix but then I tried to just input what @msklvsk shared which is (npm i @vue/cli-plugin-unit-jest) and then a new error was added which is the (@vue/cli-plugin-unit-jest > ts-jest > yargs-parser). So I tried to do what @sodatea suggested, and same thing happened with Aaron, it removed the warnings but I'm really not sure what happened but it worked.

In package.json just copy what Aaronm14 inputed.

[fabrizioanichini]

I wonder what impact this vulnerability can have..for me the dependency is related to laravel-mix(4.1.4).
@sodatea , do you know if there are vulnerability exposed to the end-users in the laravel-mix scenario?

[lartheon]

Updated yargs-parser to 18.1.3 but I'm still seeing this vulnerability warning.

[lartheon]

Also having this issue (from this library and also laravel-mix).

I did as @sodatea suggested, which removed the warnings, not yet clear what kind of impact it might have to the libraries that depend on the problem versions. Seems okay so far.

In package.json:

...
"scripts": {
      "preinstall": "npx npm-force-resolutions",
},
"resolutions": {
    "yargs-parser": "15.0.1"
  },
...

This worked for me, this looks like the best work around for the time being