Problem/Motivation

GitHub has notified me that minimist, one of our JS dependencies, has a vulnerability: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7598

Proposed resolution

Bump minimist from 1.2.0 to 1.2.5 in package.json and yarn.lock.

Remaining tasks

Patch, rebuild JS, commit

User interface changes

None

API changes

None

Data model changes

None

Release notes snippet

Support from Acquia helps fund testing for Drupal Acquia logo

Comments

longwave created an issue. See original summary.

longwave’s picture

Status: Active » Needs review
FileSize
721.23 KB
longwave’s picture

Whoops, wrong patch

longwave’s picture

jungle’s picture

Status: Needs review » Reviewed & tested by the community

Changes are only made to the package minimist and looks good to me, so I would RTBC it.

catch’s picture

Priority: Normal » Critical
jungle’s picture

Title: Bump minimist from 1.2.0 to 1.2.2 » Bump minimist from 1.2.0 to 1.2.5
Issue summary: View changes
Status: Reviewed & tested by the community » Needs review
+++ b/core/package.json
@@ -45,7 +45,7 @@
-    "minimist": "^1.2.0",
+    "minimist": "^1.2.2",
+++ b/core/yarn.lock
@@ -3736,6 +3736,11 @@ minimist@^1.2.0:
+minimist@^1.2.2:
+  version "1.2.5"

The locked version is 1.2.5, not 1.2.2, so I am changing the title. Would you update the version in package.json too?

longwave’s picture

Title: Bump minimist from 1.2.0 to 1.2.5 » Bump minimist from ^1.2.0 to ^1.2.2
Status: Needs review » Reviewed & tested by the community

I think it is OK to specify a minimum version in package.json and have a higher version in the lock, this happens with Composer packages too. Improving the title a bit and setting back to RTBC.

jungle’s picture

Thanks! RTBC +1. BTW, #3 is the right patch. even though the comment is "Whoops, wrong patch"

alexpott’s picture

Version: 9.0.x-dev » 8.9.x-dev
Status: Reviewed & tested by the community » Needs work

Can we have a Drupal 8 version as well? This package is used there too. I've confirmed that after applying the patch and running yarn run build nothing changes.

Committed and pushed 2c247a2d24 to 9.1.x and fd5bf29e33 to 9.0.x. Thanks!

  • alexpott committed 2c247a2 on 9.1.x
    Issue #3120494 by longwave, jungle: Bump minimist from ^1.2.0 to ^1.2.2
    

  • alexpott committed fd5bf29 on 9.0.x
    Issue #3120494 by longwave, jungle: Bump minimist from ^1.2.0 to ^1.2.2...
jungle’s picture

Status: Needs work » Needs review
FileSize
1.11 KB

by running $ yarn upgrade minimist@^1.2.2

longwave’s picture

Status: Needs review » Reviewed & tested by the community

  • catch committed bd0c57d on 8.9.x
    Issue #3120494 by longwave, jungle, alexpott: Bump minimist from ^1.2.0...

  • catch committed 2b65fb6 on 8.8.x
    Issue #3120494 by longwave, jungle, alexpott: Bump minimist from ^1.2.0...
catch’s picture

Version: 8.9.x-dev » 8.8.x-dev
Status: Reviewed & tested by the community » Fixed

Committed bd0c57d and pushed to 8.9.x. Thanks!
Cherry-picked to 8.8.x

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.