Minimist vulnerability

Question

We are facing critical vulnerability in minimist which is added as transitive dependency.

+-- ember-cli@3.24.0
| +-- bower-config@1.4.3
| | `-- minimist@0.2.1

We tried to resolve this using couple of methods recommended on multiple forums but still no luck. Any pointers will help.

Method 1 Resolutions

Changes in package.json file

  "scripts": {    
    "preinstall": "npx npm-force-resolutions"
  }
  
  "resolutions": {
    "minimist": "1.2.6"
}

Method 2 Overrides

 "overrides": {
    "ember-cli": {
      "bower-config": {
        "minimist": "1.2.6"
      }
    }
 }

NPM Version 8.1.2

Stupid suggestions, but have you tried to: 1) upgrade ember? 2) remove the bower? (it's kinda under the deprecation process in ember nowadays) — Andrey Stukalin, May 10 '22 at 06:47
Thanks for reply @AndreyStukalin , we are tried with 3.28.0(LTS) but thats not resolving either , How can I manually remove bower from ember-cli — Gautam, May 10 '22 at 07:32
Bower is still available internally in Ember CLI for a bit longer but you have no security risk if you aren’t using bower, as the dependency that is being flagged is never used in a production context — acorncom, May 13 '22 at 19:21

score 2 · Answer 1 · answered May 14 '22 at 11:14

2

Had same problem(with older ember but still). For yarn something like this did the trick:

"resolutions": {
  "ember-cli/bower-config/minimist": "1.2.6"
}

Equivalent in npm would be be overrides field available from npm 8.3.0. It should look something like this:

"overrides": {
  "minimist": "1.2.6"
}

or

"overrides": {
  "ember-cli": {
    "bower-config": {
      "minimist": "1.2.6"
    }
  }
}

answered May 14 '22 at 11:14

Godric

Thanks for your inputs +1 , Yes I was able to achieve this using similar approach however. forgot to update answer. Will update detailed answer – Gautam May 23 '22 at 07:12

1 Answers1