4

I'm running into a huge number of vulnerabilities. There are 583 vulnerabilities all associated with the package minimist

enter image description here

My package.json is as such:

{
  "name": "weather-wizard",
  "version": "0.1.0",
  "private": true,
  "proxy": "http://localhost:5000",
  "dependencies": {
    "@testing-library/jest-dom": "^4.2.4",
    "@testing-library/react": "^9.4.1",
    "@testing-library/user-event": "^7.2.1",
    "axios": "^0.19.2",
    "chart.js": "^2.9.3",
    "eslint-plugin-flowtype": "^3.13.0",
    "minimist": "^1.2.5",
    "moment": "^2.24.0",
    "node-sass": "^4.13.1",
    "react": "^16.13.0",
    "react-animated-weather": "^4.0.0",
    "react-chartjs-2": "^2.9.0",
    "react-dom": "^16.13.0",
    "react-places-autocomplete": "^7.2.1",
    "react-scripts": "3.4.0",
    "typescript": "^3.8.3"
  },
  "scripts": {
    "start": "react-scripts start",
    "build": "react-scripts build",
    "test": "react-scripts test",
    "eject": "react-scripts eject"
  },
  "eslintConfig": {
    "extends": "react-app"
  },
  "browserslist": {
    "production": [
      ">0.2%",
      "not dead",
      "not op_mini all"
    ],
    "development": [
      "last 1 chrome version",
      "last 1 firefox version",
      "last 1 safari version"
    ]
  }
}

What is the best way to manage these vulnerabilities?

StackedQ
  • 3,999
  • 1
  • 27
  • 41
Devon Deason
  • 125
  • 2
  • 8

2 Answers2

3

When you see some issue like this, you need to first check on the github repository if they are already notified and create an issue so they can fix it soon.

They are taking care of this in the following issue: https://github.com/facebook/create-react-app/issues/8672

Rhuan
  • 135
  • 9
2

Solution: For npm users:

npm install minimist --save-dev eg: (minimist version: 1.2.5)

Add Resolution key adjacent to dependency key into package.json file

{
"resolutions": {
"minimist": "^1.2.5"
}
}

Add below line inside script key into package.json example:

"scripts": {
"preinstall": "npx npm-force-resolutions"
}

Remove node_modules, and then run command: npm install.

While npm audit fix fixes dependency

Edgar Joel Perez
  • 37
  • 1