[BUG] Yargs dependency is outdated with known vulnerabilities
aleybovich opened this issue · comments
What / Why
The version of yargs
dependency is severely outdated and contains known security vulnerability CVE-2020-7608 (yargs/yargs-parser@63810ca). That bug is fixed in yargs-parser versions 18.1.1, 13.1.2, 15.0.1
When
When performing AQUA scan on the latest official nodejs v12 docker image, it finds CVE-2020-7608 which is caused by an old version of yargs
dependency in npx
This isn't a real vulnerability, however (in like, 99% of cases the CVE implies it is one).
The attack vector here is "you run the command with archaic and uniquely crafted command-line arguments, and are thus able to hijack your own command invocation". This is a risk of precisely zero.
Hello,
I must admit that the vulnerability is actually more or less more virtual than real, but that breaks our deployment pipe-line (which includes a npm audit --prod
) and prevent us to correctly interpret the result (when the alarm is always on, nobody cares).
Would you consider upgrading to any version in the range >=13.1.2 <14.0.0 || >=15.0.1 <16.0.0 || >=18.1.2 ?
Yes, that is the problem with overly broad CVEs - they undermine the entire system. Unfortunately that's not something individual projects can really fix.
Would you consider upgrading
@bbailleux The question is who are you referring to as you
?
See #30
Would you consider upgrading
@bbailleux The question is who are you referring to as
you
?
See #30
Oh. I wasn't aware of that situation. Yargs being a dependency of a dependency of a build tool, I did not dig very deep in the problem before writing.
Reading the comments in #30, I understand that it is way more complex than expected (and that you
is currently… nobody
), but with a (small?) hope to come in Q2 of 2020.
but with a (small?) hope to come in Q2 of 2020.
well, can't really call it hope anymore seeing as the second quarter ended last month, lol