Safeguard
Security Guides

minimist Security Guide (2026)

minimist is the tiny argument parser buried under a huge slice of the npm ecosystem — and two prototype-pollution CVEs made this 'harmless' 100-line library one of the most widely flagged transitive dependencies in JavaScript.

Priya Mehta
Security Researcher
6 min read

minimist is a minimal command-line argument parser for Node.js — a few dozen lines that turn process.argv into a plain options object. It is the kind of library nobody adds on purpose and almost everybody ships: for years it sat under a staggering fraction of the npm ecosystem as a transitive dependency of build tools, CLIs, test runners, and frameworks, with weekly download counts in the tens of millions. That combination of tiny footprint and enormous reach is exactly why its security history matters. minimist has two real, widely exploited prototype-pollution CVEs, and because it is so deeply transitive, those advisories appeared in the dependency tree of a huge number of projects that had never heard of the package.

The notable historical CVEs

Both of minimist's headline advisories are prototype pollution — an attacker crafts argument keys that walk up the JavaScript prototype chain and mutate Object.prototype, so properties leak into every object in the process. These are both real and heavily tracked:

  • CVE-2020-7598 — minimist before 1.2.3 (and before 0.2.1 on the legacy line) allowed prototype pollution through crafted arguments. The fix added checks for dangerous keys such as __proto__ and the various prototype properties so parsed options could no longer reach the base prototype.
  • CVE-2021-44906 — the fix for the first CVE missed a case. minimist before 1.2.6 (and before 0.2.4 on the legacy line) was still vulnerable because the guard did not cover constructor and Function.prototype, leaving a path back to prototype pollution. This one is rated critical and is the version bump most teams remember, because it lit up scanners across the ecosystem in early 2022.

The pattern is instructive: the first patch looked complete, shipped, and was widely adopted — and a follow-up disclosure a couple of years later showed a gap the original allow-list did not cover. Prototype pollution is easy to under-fix, which is why the safe floor moved twice.

Common misuse and risks

  • Parsing untrusted argument-like input. minimist is built for process.argv, which is normally controlled by whoever launches the process. The CVEs become dangerous when a program feeds attacker-influenced data — arguments assembled from an HTTP request, a webhook, a job queue, or a config string — into minimist. That is when a crafted __proto__ key mutates global state.
  • Assuming prototype pollution is harmless. A polluted Object.prototype can flip security-relevant defaults, inject properties that later code trusts, cause denial of service, or, chained with a downstream sink, escalate to code execution. It is rarely the whole exploit, but it is a reliable first link.
  • Running it deeply transitive and stale. Because minimist is almost always indirect, a project can carry a vulnerable copy long after the ecosystem moved on, pinned by some intermediate package's loose range.
  • Duplicate copies in the tree. A single lockfile can resolve several minimist versions at different depths, so "we upgraded minimist" is often only true for one of them.

How to use minimist safely

Set the version floor: run minimist 1.2.6 or later (or 0.2.4 on the legacy 0.x line). That is the release that closed the constructor/Function.prototype gap behind CVE-2021-44906 and includes the earlier CVE-2020-7598 fix. Since the API is stable, this upgrade is almost always painless.

Then reduce the blast radius:

  • Do not feed untrusted data into an argument parser. minimist is for launch-time CLI arguments. If you are parsing input that an attacker can shape, validate it against a schema first, or use a parser designed for untrusted input rather than one that mirrors keys onto an object.
  • Deduplicate the tree. After upgrading, run npm ls minimist (or the yarn/pnpm equivalent) to confirm every resolved copy is at a safe version, and use overrides/resolutions to force old transitive pins up.
  • Freeze the object model where you can. Defense-in-depth measures — avoiding property access that trusts inherited keys, and treating parsed options as untrusted — blunt prototype-pollution chains even if a vulnerable parser slips in.
  • Pin and monitor. Commit a lockfile so a loose range cannot silently reintroduce a vulnerable version.

How to monitor minimist with SCA and reachability

minimist is the textbook transitive dependency: a scanner will flag it in projects whose authors never installed it directly, often in multiple copies at once. A raw version list tells you it is present; what you need to know is whether any code path actually parses attacker-influenced input through it, and whether every resolved copy — not just the top-level one — is patched.

Safeguard's software composition analysis resolves your complete npm dependency graph, surfaces every minimist version in the tree, and adds reachability so a prototype-pollution advisory that sits on a real, attacker-reachable parsing path is separated from a copy buried in a dev-only tool. When a bump is warranted, autonomous auto-fix opens a tested pull request — including the overrides needed to lift stubborn transitive pins — and Griffin AI explains whether a given copy is actually exploitable. Developers run the same analysis locally and in CI with the Safeguard CLI, and teams evaluating alternatives can review the Snyk comparison.

Bring continuous, prioritized dependency analysis to your Node.js services — get started free or read the documentation.

Frequently Asked Questions

Which minimist version is safe in 2026?

Run minimist 1.2.6 or later, or 0.2.4 on the legacy 0.x line. 1.2.6 closed the constructor/Function.prototype gap behind CVE-2021-44906 and includes the earlier prototype-pollution fix from CVE-2020-7598 that shipped in 1.2.3. Because the API has been stable for years, this upgrade rarely breaks anything.

What is prototype pollution and why does it matter here?

It is an attack where crafted keys like __proto__ walk up the JavaScript prototype chain and mutate Object.prototype, so injected properties appear on every object in the process. In minimist, malicious argument keys could reach the base prototype, which can flip trusted defaults, enable denial of service, or serve as the first link in a chain toward code execution.

Is minimist safe if I only parse process.argv?

The risk is much lower when the only input is genuine launch-time CLI arguments that you control, but you should still upgrade to a patched version. The danger appears when a program feeds attacker-influenced data — from a request, webhook, or queue — into minimist, so avoid using it as a parser for untrusted input regardless.

How do I know if a minimist CVE actually affects my app?

Use reachability-aware SCA. It enumerates every minimist copy in your dependency tree, including deep transitive ones, and traces whether any of them sits on a path that parses attacker-influenced input — so you can prioritize a genuinely reachable copy over one pinned inside a dev-only tool that never touches untrusted data.

Never miss an update

Weekly insights on software supply chain security, delivered to your inbox.