Npm audit failing for jest 24.8.0 with severity high on 26k+ dependencies

[lmammino]

🐛 Bug Report

Npm audit failing for jest 24.8.0 with severity high on 26k+ dependencies

To Reproduce

mkdir new-project && cd new-project
npm init -y
npm install --save [email protected]
npm audit

Should produce the following output:

+ [email protected]
added 547 packages from 362 contributors and audited 873711 packages in 15.659s
found 12675 high severity vulnerabilities
  run `npm audit fix` to fix them, or `npm audit` for details

Also see attached npm audit report in JSON format

🍕npm_audit_output.json.zip

Expected behavior

N/D

Link to repl or repo (highly encouraged)

N/D

Run npx envinfo --preset jest

Paste the results here:

  System:
    OS: macOS High Sierra 10.13.6
    CPU: (8) x64 Intel(R) Core(TM) i7-7700HQ CPU @ 2.80GHz
  Binaries:
    Node: 12.4.0 - ~/n/bin/node
    npm: 6.9.2 - ~/n/bin/npm
  npmPackages:
    jest: ^24.8.0 => 24.8.0

[randytorres]

Same issue here

[ghost]

It looks like the offending package down the dependency tree is set-value.

I ran this command npm audit --json | npm-audit-html and got the following report attached.
npm-audit.html.zip

[dgowrie]

Seems unpatched versions of mixin-deep and set-value are the source of most (all?) of these vulnerabilities.

mixin-deep advisory here https://www.npmjs.com/advisories/1013

Please update to version 2.0.1 or later, a critical bug was fixed in that version.

set-value advisory here https://www.npmjs.com/advisories/1012

Please update to version 3.0.1 or later, a critical bug was fixed in that version.

[tinoqq]

BUMP

[nzacca]

Would it be possible to upgrade micromatch to version ^4? Seems this version removes a dependency on snapdragon which has mixin-deep in its chain. Seems there are a lot of jest-* packages that have micromatch 3 as a dependency though.

Edit: Might not be able to since micromatch 4 requires node 8.

[jeysal]

Upgrading micromatch to v4 (breaking) is planned for Jest 25, for performance reasons as well

[dacevedo12]

Same here, set-value has been reported as vulnerable since past friday

[lmammino]

@jeysal, is there an estimate release date for v25?

[jeysal]

@lmammino There'll be at least one more minor release soon before the phase of landing breaking changes for 25 starts

[lucaurso]

npm audit fix fixes the problem

[omeraha]

Same for me - npm audit fix fixed the problem

[SimenB]

If npm audit fix fixes the problem, it means all fixed packages are within semver range of Jest and its dependencies. So I think we can close this.

(Happy to take PRs increasing the minimum version of Jest's deps if it helps pull in upstream fixes when we do make a release)

[lmammino]

Great to see the community moved so fast on this! Thanks to everyone involved

[SimenB]

(Happy to take PRs increasing the minimum version of Jest's deps if it helps pull in upstream fixes when we do make a release)

Both mixin-deep and set-value originates from braces which comes in through micromatch. So not much we can bump on our side beyond micromatch 4 (which is a breaking change, as mentioned above) to bubble up fixed versions.

[github-actions]

This issue has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.
Please note this issue tracker is not a help forum. We recommend using StackOverflow or our discord channel for questions.