Difficulty updating minimist with Angular 9

Question

I've been doing an Angular 9 project for some time now. A while back, a warning popped up about a moderate security vulnarability with the minimist package. However, when I try to fix them with (sudo) npm audit fix, it can't fix these issues, and (sudo) npm update won't update them either, even though they have newer versions. How can I fix this?

You can reproduce this problem with a brand new Angular 9 application; minimist is installed by default. For a new project, they will show up as a 'low' level vulnerability, but I think the gist of it is the same.

score 3 · Answer 1 · edited Jun 01 '22 at 10:27

This is great question. I do this to fix the vulnerability issue.

Add this in package.json like last entry after devDependencies;

"resolutions": {
        "minimist": "^1.2.5"
 }

and in scripts section add:

  "scripts": {
    "preinstall": "npx npm-force-resolutions"`
  }

when you finish run this in your terminal:

npx npm-force-resolutions && npm install

But when installing a new package it usually go back to the previous version and I run the previous command again.

score 2 · Accepted Answer · answered Mar 26 '20 at 09:48

2

At the moment you can't fix it, because angular 9 is not compatible with (new) minimist version, which do not have vulerabilities. You can follow the issues on github:

https://github.com/substack/minimist/issues/145

https://github.com/angular/angular/issues/36104

answered Mar 26 '20 at 09:48

SAM

742
10
24

1

Thanks, I hadn't found those when I asked the question. – Luctia Mar 26 '20 at 09:58
karma is dependent on optimist@0.6.1, which has nobody currently supporting it. – Phil Huhn Apr 06 '20 at 20:09

Difficulty updating minimist with Angular 9

2 Answers2