schmitzc opened a new issue #507: URL: https://github.com/apache/cordova-cli/issues/507
# Bug Report ## Problem `yarn audit` finds vulnerabilities in `kind-of` and `minimist` packages: ``` ┌───────────────┬──────────────────────────────────────────────────────────────┐ │ low │ Prototype Pollution │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Package │ minimist │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Patched in │ >=0.2.1 <1.0.0 || >=1.2.3 │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Dependency of │ cordova │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Path │ cordova > update-notifier > latest-version > package-json > │ │ │ registry-url > rc > minimist │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ More info │ https://www.npmjs.com/advisories/1179 │ └───────────────┴──────────────────────────────────────────────────────────────┘ ┌───────────────┬──────────────────────────────────────────────────────────────┐ │ low │ Validation Bypass │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Package │ kind-of │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Patched in │ >=6.0.3 │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Dependency of │ cordova │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Path │ cordova > cordova-lib > globby > fast-glob > micromatch > │ │ │ nanomatch > kind-of │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ More info │ https://www.npmjs.com/advisories/1490 │ └───────────────┴──────────────────────────────────────────────────────────────┘ ``` ### What is expected to happen? `yarn audit` should not find any vulnerabilities for the `cordova` dependencies. ### What does actually happen? `yarn audit` finds vulnerabilities in the `minimist` and `kind-of` packages. ## Information <!-- Include all relevant information that might help understand and reproduce the problem --> ### Command or Code <!-- What command or code is needed to reproduce the problem? --> `yarn audit` ### Environment, Platform, Device <!-- In what environment, on what platform or on which device are you experiencing the issue? --> N/A ### Version information <!-- What are relevant versions you are using? For example: Cordova: Cordova CLI, Cordova Platforms, Cordova Plugins Other Frameworks: Ionic Framework and CLI version Operating System, Android Studio, Xcode etc. --> Cordova: Cordova CLI ## Checklist <!-- Please check the boxes by putting an x in the [ ] like so: [x] --> - [x] I searched for existing GitHub issues - [x] I updated all Cordova tooling to most recent version - [x] I included all the necessary information above ---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
