@quasar/app relies on minimist 1.2.5 but should be 1.2.6 due to security issues

[geoffsmiths]

What happened?

After an npm audit:

npm audit report
minimist  <=1.2.5
Severity: high
Prototype Pollution in minimist - https://github.com/advisories/GHSA-xvch-5gv4-984h
No fix available
node_modules/minimist
  @quasar/app  *
  Depends on vulnerable versions of minimist
  node_modules/@quasar/app
2 high severity vulnerabilities
Some issues need review, and may require choosing
a different dependency.

What did you expect to happen?

That @quasar/app should use minimist@1.2.6

Reproduction URL

https://github.com/quasarframework/quasar/blob/dev/cli/package.json

How to reproduce?

1. npm init
2. npm install @quasar/app and then you get 2 high severity vulnerabilities
3. npm audit

Step 3 shows:

# npm audit report

minimist  <=1.2.5
Severity: high
Prototype Pollution in minimist - https://github.com/advisories/GHSA-xvch-5gv4-984h
No fix available
node_modules/minimist
  @quasar/app  *
  Depends on vulnerable versions of minimist
  node_modules/@quasar/app

2 high severity vulnerabilities

Flavour

Quasar CLI (@quasar/cli | @quasar/app)

Areas

Quasar CLI Commands/Configuration (@quasar/cli | @quasar/app)

Platforms/Browsers

Other

Quasar info output

No response

Relevant log output

No response

Additional context

No response

[rstoenescu]

Will be available in q/app v2.2.12

[onursezn]

# npm audit report

minimist  <=1.2.5
Severity: high
Prototype Pollution in minimist - https://github.com/advisories/GHSA-xvch-5gv4-984h
fix available via `npm audit fix --force`
Will install @quasar/app@2.2.12, which is a breaking change
node_modules/@quasar/app/node_modules/minimist
  @quasar/app  <=2.2.11 || >=3.0.0-alpha.0
  Depends on vulnerable versions of minimist
  node_modules/@quasar/app

Currently I am using "@quasar/app": "^3.0.0". Fix says to install 2.2.12. When I downgrade quasar/app to 2.2.12, I get way more vulnerabilities. Are there any versions newer than 3.0.0 does have minimist 1.2.6?

Thanks.

[MilosPaunovic]

Package @quasar/app diverged to @quasar/app-vite and @quasar/app-webpack. Run commands below for the CLI to handle updates for you.

npm i -d @quasar/cli@latest
quasar upgrade -i

[onursezn]

Hi Milos,

I have run the suggested commands. Quasar, quasar cli, quasar extras are updated however I still get the minimist error when I run npm audit. It still suggests downgrading the quasar/app to 2.2.12.

Below is my npm list

+-- @babel/eslint-parser@7.17.0
+-- @quasar/app@3.3.3
+-- @quasar/cli@1.3.2
+-- @quasar/extras@1.13.5
+-- @vue/eslint-config-standard@6.1.0
+-- @vue/eslint-config-typescript@7.0.0
+-- axios@0.21.4
+-- bourbon-neat@4.0.0
+-- bourbon@7.2.0
+-- core-js@3.21.1
+-- dotenv@16.0.0
+-- eslint-config-prettier@8.5.0
+-- eslint-config-standard@16.0.3
+-- eslint-plugin-vue@7.0.0
+-- eslint-webpack-plugin@2.6.0
+-- eslint@7.32.0
+-- node-neat@2.0.0-beta.0
+-- node-sass@7.0.1
+-- quasar-app-extension-ide-helper@1.0.0
+-- quasar@2.6.5
+-- sass-loader@12.6.0
+-- sonarqube-scanner@2.8.1
+-- vue-i18n@9.1.9
`-- vuex@4.0.2

[rstoenescu]

@onursezn run quasar upgrade -i inside of your q/app v3 folder. it'll upgrade it to the newer q/app-webpack. You're definitely not running q/app-webpack.

[onursezn]

@rstoenescu thank you it worked after upgrading the @quasar/app to 3.3.3 and running your suggested command.