minimist used with security vulnerability

[daveisfera]

Currently used versions of minimist in stable versions has a security vulnerability:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7598

[mourner]

This was fixed in #9425.

[daveisfera]

That's not currently available in a stable version

[mourner]

v1.9.0 will be released tomorrow; meanwhile, you can use the beta version if that security warning concerns you. It doesn't actually affect GL JS in any way since it's not used by it directly, only for some minor tools for the style specification.

[FabianKoestring]

v1.9.0 will be released tomorrow; meanwhile, you can use the beta version if that security warning concerns you. It doesn't actually affect GL JS in any way since it's not used by it directly, only for some minor tools for the style specification.

When will v1.9.* be released?

[mourner]

@FabianKoestring there was a minor delay after discovering a regression, but it should be up today hopefully.

[GUI]

Just a heads up that this is not resolved in the new v1.9.0 release (since it sounds like that was maybe expected). Version 1.9.0 still has the minimist version pinned to 0.0.8: https://github.com/mapbox/mapbox-gl-js/blob/v1.9.0/package.json#L30

As an additional note, once v1.9.1 ships (or which ever version includes the update), currently mapbox-gl would still introduce a nested dependency on a vulnerable minimist version due to the @mapbox/geojson-rewind > sharkdown > minimist dependencies. See mapbox/geojson-rewind#27.

I understand this security issue may not really affect mapbox-gl's browser usage, but it might still be nice if this were addressed to cut down on automated security alerts generated by various tools. Here's the current results of yarn audit when run against the newest versions of mapbox-gl (v1.9.0) and @mapbox/geojson-rewind (v0.4.1):

┌───────────────┬──────────────────────────────────────────────────────────────┐
│ low           │ Prototype Pollution                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ minimist                                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=0.2.1 <1.0.0 || >=1.2.3                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ mapbox-gl                                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ mapbox-gl > @mapbox/geojson-rewind > sharkdown > minimist    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://www.npmjs.com/advisories/1179                        │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ low           │ Prototype Pollution                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ minimist                                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=0.2.1 <1.0.0 || >=1.2.3                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ mapbox-gl                                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ mapbox-gl > minimist                                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://www.npmjs.com/advisories/1179                        │
└───────────────┴──────────────────────────────────────────────────────────────┘

[ryanhamley]

Sorry, there was a miscommunication earlier. This fix was merged after we'd cut the beta branch for 1.9.0 so it did not make it into the release. This doesn't seem urgent enough to necessitate a patch release, especially if the offending version of minimist is still included through a dependency chain so I assume this will go out in 1.10.0 next month.

As for the dependency using minimist, that's not something we'll be able to directly control. We've updated minimist in GL JS and the direct dependency in geojson-rewind. Someone will need to submit a PR to sharkdown to update their dependency on minimist then when they release a new version, it should start to be installed along with geojson-rewind . See
https://github.com/tmcw-up-for-adoption/sharkdown/blob/407983bcb7a8acf36a7d6ae3d5ad2ed65799e1a8/package.json#L14

[mourner]

@ryanhamley let me deal with geojson-rewind subdeps, it's long overdue for a cleanup.

[GagandeepKaur]

I faced similar audit warnings as mentioned earlier by @GUI . So, this issue is expected to be fixed in 1.10.0 release in April month? Pls, confirm some tentative date. Mapbox-gl is the only package whose audit failures need to be fixed in my project. So, I am waiting for it to fix its vulnerabilities to have a clean npm audit report.

Thanks Team.

[ryanhamley]

@GagandeepKaur 1.10 is planned to be a significant release so our timeline with it is more tentative than usual. that said, we expect to cut a beta release next week with an eye towards a full release two weeks later. we've built in an extra week of testing for some larger improvements so if we find bugs, it's always possible the release could be pushed slightly, but we expect to have 1.10 out this month

[vinayakkulkarni]

                       === npm audit security report ===

┌──────────────────────────────────────────────────────────────────────────────┐
│                                Manual Review                                 │
│            Some vulnerabilities require your attention to resolve            │
│                                                                              │
│         Visit https://go.npm.me/audit-guide for additional guidance          │
└──────────────────────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low           │ Prototype Pollution                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ minimist                                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=0.2.1 <1.0.0 || >=1.2.3                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ @mapbox/geojson-extent                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ @mapbox/geojson-extent > @mapbox/geojson-coords >            │
│               │ geojson-flatten > minimist                                   │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/1179                            │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low           │ Prototype Pollution                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ minimist                                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=0.2.1 <1.0.0 || >=1.2.3                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ @mapbox/mapbox-gl-draw                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ @mapbox/mapbox-gl-draw > @mapbox/geojson-extent >            │
│               │ @mapbox/geojson-coords > geojson-flatten > minimist          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/1179                            │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low           │ Prototype Pollution                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ minimist                                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=0.2.1 <1.0.0 || >=1.2.3                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ mapbox-gl-draw-circle                                        │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ mapbox-gl-draw-circle > @mapbox/mapbox-gl-draw >             │
│               │ @mapbox/geojson-extent > @mapbox/geojson-coords >            │
│               │ geojson-flatten > minimist                                   │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/1179                            │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low           │ Prototype Pollution                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ minimist                                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=0.2.1 <1.0.0 || >=1.2.3                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ @mapbox/mapbox-gl-draw                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ @mapbox/mapbox-gl-draw > @mapbox/geojsonhint > minimist      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/1179                            │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low           │ Prototype Pollution                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ minimist                                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=0.2.1 <1.0.0 || >=1.2.3                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ mapbox-gl-draw-circle                                        │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ mapbox-gl-draw-circle > @mapbox/mapbox-gl-draw >             │
│               │ @mapbox/geojsonhint > minimist                               │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/1179                            │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low           │ Prototype Pollution                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ minimist                                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=0.2.1 <1.0.0 || >=1.2.3                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ mapbox-gl                                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ mapbox-gl > @mapbox/geojson-rewind > sharkdown > minimist    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/1179                            │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low           │ Prototype Pollution                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ minimist                                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=0.2.1 <1.0.0 || >=1.2.3                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ mapbox-gl                                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ mapbox-gl > minimist                                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/1179                            │
└───────────────┴──────────────────────────────────────────────────────────────┘

[karimnaaji]

Sorry for reopening, we thought this was not addressed for production dependencies, yarn audit reports issues only for dev ones, closing back. This will be available in 1.10.

[karimnaaji]

Available as of yesterday in our beta release: https://www.npmjs.com/package/mapbox-gl/v/1.10.0-beta.1.