2

White-source has reported high security issue with following libraries for yargs-parser for my repo:

1. build-angular-0.13.8.tgz (Root Library)
       node-sass-4.11.0.tgz
           sass-graph-2.2.4.tgz
               yargs-7.1.0.tgz
                   yargs-parser-5.0.0.tgz (Vulnerable Library)



 2. build-angular-0.13.8.tgz (Root Library)
        webpack-dev-server-3.1.14.tgz
            yargs-12.0.2.tgz
                yargs-parser-10.1.0.tgz (Vulnerable Library)


 3. protractor-6.0.0.tgz (Root Library)
        webdriver-manager-13.0.0.tgz
            yargs-12.0.5.tgz
                yargs-parser-11.1.1.tgz (Vulnerable Library)

 4. compiler-cli-7.2.14.tgz (Root Library)
        yargs-9.0.1.tgz
            yargs-parser-7.0.0.tgz (Vulnerable Library)

Affected versions of yargs-parser are vulnerable to prototype pollution. Arguments are not properly sanitized, allowing an attacker to modify the prototype of Object, causing the addition or modification of an existing property that will exist on all objects. Parsing the argument --foo.proto.bar baz' adds a bar property with value baz to all objects. This is only exploitable if attackers have control over the arguments being passed to yargs-parser.

Whitesource has suggested this fix: yargs-parser/v/18.1.2 , yargs-parser/v/15.0.1

Need suggestion to resolve this issue. I mean which yargs-parser I should use and how?

Anand Gargate
  • 479
  • 5
  • 16
  • What are you expecting to get as an answer? It's not very clear from your post. Are you trying to report or publicize a security vulnerability? This is not the place to do that. – A. R. Jun 03 '20 at 20:54
  • @AndrewRay I am not reporting any security issue as title says I need help in resolving security issue which white-source reported. – Anand Gargate Jun 04 '20 at 04:50

1 Answers1

1

Solving Whitesource (Mend) issues sometimes becomes tricky as you can't be sure the package version you have upgraded to will be compatible with other packages. Steps to solve:

  1. Check your package.json dependencies and devDependencies to be sure that you have correct semantic versioning at least for your main packages. Most used range selector are ~ and ^ read more here (https://github.com/npm/node-semver)

  2. Run npm audit and npm audit fix command. This will fix some vulnerabilities. If all the vulnerabilities are fixed, check if application is running fine and you are done. (You can try npm update as well)

  3. For remaining packages listed in whitesource report run, npm ls command, this will list out the packages which have the vulnerable package as their dependency. Most of the libraries use proper semantic versioning so updating them to their latest version will also update their dependencies to a version where the Whitesource issue is fixed. (You can use Version Lens VSCode plugin if you are you using default npm artifactory, most organizations have jfrog artifactory so the plugin might not help)

  4. One of the most straightforward way can be to add overrides in package.json (resolutions in yarn), this will basically override your dependencies dependency. eg.

    "overrides": { "@angular-devkit/build-angular": { "typescript": "~4.8.2" } }

  5. Run the application to check for any compilation/ functionality issues.

Siddharth Sharma
  • 1,653
  • 2
  • 19
  • 35