How to fix a Minimist Vulnerability in Your Express Application

I wrote this article back when I was first getting into web development and blogging

If your Express application uses Mocha to handle testing then you have probably been getting vulnerability warnings from GitHub. In versions of Minimist before 1.2.3 there is a prototype pollution vulnerability. This could allow attackers to manipulate attributes of a JavaScript object prototype causing your application to behave in ways you didn’t intend. Here’s how you fix it!

First I’d like to state I didn’t figure this out on my own. I found the solution on this GitHub page from a user called ejke. You might have to scroll a bit to find her comment.

For me running “npm audit fix” resulted in the following message:

npm audit fix
fixed 2 of 3 vulnerabilities in 541 scanned packages 1 vulnerability required manual review and could not be updated

Instead, you have to force update mocha by removing it from “package.json” in your application. I have it installed under “devDependencies”:

{
  "devDependencies": {
    "chai": "^4.2.0",
    "mocha": "^7.1.0",
    "nodemon": "^2.0.2",
    "supertest": "^4.0.2"
  }
}

After manually removing mocha go ahead and reinstall it.

npm i mocha -D

rm -rf node_modules/ package-lock.json

After that:

npm install
npm audit

After that Mocha should be updated to v7.1.1

{
  "devDependencies": {
    "chai": "^4.2.0",
    "mocha": "^7.1.1",
    "nodemon": "^2.0.2",
    "supertest": "^4.0.2"
  }
}

This should fix the minimist vulnerability. Eventually, it probably won’t be necessary to fix it this way. But for now, it does the trick.