Backport of v1.2.6 fixes to v0.2.x?

[gorner]

Thanks to the new maintainers for taking over this project. I see a new version of the v0.2.x line has been published even though it still seems to be covered by CVE-2021-44906.

Is there any possibility of the fix from v1.2.6 being backported, or is it necessary at all? I ask because the maintainers of one of the other packages we use have thus far not responded to suggestions to update and a patch update to the v0.2.x line would obviate the need for that.

And yes, I'm aware we can also use yarn resolutions, NPM overrides, etc. and the risk is probably fairly minimal in our use case – but I assume there's a reason the v0.2.x line is being maintained.

[ljharb]

Yes, I’ll do a few backports.

[shadowspawn]

The npm audit info seems to be one behind anyway, but checking against Synk.

Running manual tests against the proof of concept attacks in Sync:

• poc1 and poc2 from https://security.snyk.io/vuln/SNYK-JS-MINIMIST-2429795
  • https://www.cve.org/CVERecord?id=CVE-2021-44906
• poc3 from https://security.snyk.io/vuln/SNYK-JS-MINIMIST-559764
  • https://www.cve.org/CVERecord?id=CVE-2020-7598

A successful mitigation against pollution prints undefined.

% npm i --silent [email protected]
% node poc1
value0
% node poc2
value1
% node poc3
bar

% npm i --silent [email protected]
% node poc1                    
undefined
% node poc2                    
undefined
% node poc3                    
bar

% npm i --silent [email protected]
% node poc1                    
undefined
% node poc2                    
undefined
% node poc3                    
undefined

[ljharb]

Which commits/PRs are still unbackported?

[shadowspawn]

I think we are good to go ahead with requesting update to vulnerability information (not that I have any idea of the process!).

[email protected] includes the new backport:

• ef9153f
• 34e20b8

[ljharb]

Awesome. I'm not sure how to go about that. If there's specific things (github and/or snyk) then with the links to those, I can pursue updating them to note that v0.2.4+ isn't vulnerable.

[shadowspawn]

The current audit link references advisories for the first vulnerability:

% npm audit
# npm audit report

minimist  <1.2.6
Severity: critical
Prototype Pollution in minimist - https://github.com/advisories/GHSA-xvch-5gv4-984h

The Synk links for both vulnerabilities are in #11 (comment)

[ljharb]

https://security.snyk.io/vuln/SNYK-JS-MINIMIST-559764 is already fixed in v0.2.1+. I've pinged someone at Snyk for https://security.snyk.io/vuln/SNYK-JS-MINIMIST-2429795.

Filed github/advisory-database#1725 for the npm audit one.

[shadowspawn]

For interest of gentle readers, the unit tests for prototype pollution on the v0.2.x branch are: https://github.com/minimistjs/minimist/blob/v0.2.x/test/proto.js

[shadowspawn]

npm audit now knows that 0.2.4 is ok, thanks to @ljharb for filing advisory database update:

11 % npm ls minimist
[email protected] /Users/john/Documents/Sandpits/minimist/issues/11
└── [email protected]

11 % npm audit
found 0 vulnerabilities

[shadowspawn]

I have submitted updates to the CVE entries themselves via the CVE numbering authority for the issues: https://cveform.mitre.org/

[ljharb]

I think this is resolved; please file a new issue if there's any remaining vulnerabilities in a minor line.