vue-cli-ui depends on watch, which has several known security issues and is abandoned. #6486

dpash · 2021-05-18T08:38:52Z

Version

5.0.0-beta.0

Reproduction link

https://github.com/dpash/vue-cli-watch-bug

Environment info


Environment Info:

  System:
    OS: Linux 5.11 Ubuntu 21.04 (Hirsute Hippo)
    CPU: (4) x64 AMD Ryzen 3 2200G with Radeon Vega Graphics
  Binaries:
    Node: 16.1.0 - /usr/bin/node
    Yarn: Not Found
    npm: 7.11.2 - /usr/bin/npm
  Browsers:
    Chrome: 90.0.4430.212
    Firefox: 88.0.1
  npmPackages:
    @vue/cli: ^5.0.0-beta.1 => 5.0.0-beta.1 
    @vue/cli-shared-utils:  5.0.0-beta.1 
    @vue/cli-ui:  5.0.0-beta.1 
    @vue/cli-ui-addon-webpack:  5.0.0-beta.1 
    @vue/cli-ui-addon-widgets:  5.0.0-beta.1 
    @vue/compiler-core:  3.0.11 
    @vue/compiler-dom:  3.0.11 
    @vue/shared:  3.0.11 
    typescript:  4.1.5 
    vue:  2.6.12 
    vue-codemod:  0.0.5 
  npmGlobalPackages:
    @vue/cli: Not Found

Steps to reproduce

Install @vue/cli, run npm audit

Check out the 5.0.0-beta.1 branch for the result with that version

What is expected?

No errors

What is actually happening?

merge  <2.1.1
Severity: high
Prototype Pollution - https://npmjs.com/advisories/1666
No fix available
node_modules/merge
  exec-sh  <=0.3.1
  Depends on vulnerable versions of merge
  node_modules/exec-sh
    watch  >=0.14.0
    Depends on vulnerable versions of exec-sh
    node_modules/watch
      @vue/cli-ui  *
      Depends on vulnerable versions of watch
      node_modules/@vue/cli-ui
        @vue/cli  *
        Depends on vulnerable versions of @vue/cli-ui
        node_modules/@vue/cli

Merge has a security issue.

exec-sh has removed the dependency on merge since 17 Oct 2018 (version 0.3.2). tsertkov/exec-sh@933cc02

Watch depends on exec-sh 0.2.0 and watch hasn't had any commits or releases in 4 years, There is even an open PR to upgrade watch to use a more recent version of exec-sh, but hasn't been looked at for three years. mikeal/watch#143

According to mikeal/watch#149 https://www.npmjs.com/package/chokidar is a suitable replacement.

The text was updated successfully, but these errors were encountered:

Security checks have been failing for months due to Vue CLI dependencies and lack of resolution from the developers. This commit makes auditing ignore development dependencies. The reasons include: - Vulnerabilities in developer dependencies cause pipelines to fail on every run. - This is caused by dependencies such that lack resolution from the developers. Vue developers consider `npm audit` broken design and do not prioritize solutions. Discussions: vuejs/vue-cli#6637, vuejs/vue-cli#6621, vuejs/vue-cli#6555, vuejs/vue-cli#6553, vuejs/vue-cli#6523, vuejs/vue-cli#6486. - Development packages are not relevant for the production payload. - False positives create behavior of ignoring them completely instead of taking action, which creates a security vulnerability itself. `npm audit --omit=dev` is used instead of `npm audit --production` which is deprecated as of npm v8.7.0 npm/cli#4744.

Security checks have been failing for months due to Vue CLI dependencies and lack of resolution from the developers. This commit makes auditing ignore development dependencies. The reasons include: - Vulnerabilities in developer dependencies cause pipelines to fail on every run. - This is caused by dependencies such that lack resolution from the developers. Vue developers consider `npm audit` broken design and do not prioritize solutions. Discussions: vuejs/vue-cli#6637, vuejs/vue-cli#6621, vuejs/vue-cli#6555, vuejs/vue-cli#6553, vuejs/vue-cli#6523, vuejs/vue-cli#6486, vuejs/vue-cli#6632. - Development packages are not relevant for the production payload. - False positives create behavior of ignoring them completely instead of taking action, which creates a security vulnerability itself. - Failed tests are shown in a badge on README file, giving wrong picture of security posture of users. `npm audit --omit=dev` is used instead of `npm audit --production` which is deprecated as of npm v8.7.0 npm/cli#4744.

This commit changes the behavior of auditing to audit only production dependencies. Security checks have been failing for months due to Vue CLI dependencies and lack of resolution from the developers. This commit makes auditing ignore development dependencies. The reasons include: - Vulnerabilities in developer dependencies cause pipelines to fail on every run. - This is caused by dependencies such that lack resolution from the developers. Vue developers consider `npm audit` broken design and do not prioritize solutions. Discussions: vuejs/vue-cli#6637, vuejs/vue-cli#6621, vuejs/vue-cli#6555, vuejs/vue-cli#6553, vuejs/vue-cli#6523, vuejs/vue-cli#6486, vuejs/vue-cli#6632. - Development packages are not relevant for the production payload. - False positives create behavior of ignoring them completely instead of taking action, which creates a security vulnerability itself. - Failed tests are shown in a badge on README file, giving wrong picture of security posture of users. `npm audit --omit=dev` is used instead of `npm audit --production` which is deprecated as of npm v8.7.0 npm/cli#4744.

This commit changes the behavior of auditing to audit only production dependencies. Security checks have been failing for months due to Vue CLI dependencies and lack of resolution from the developers. This commit makes auditing ignore development dependencies. The reasons include: - Vulnerabilities in developer dependencies cause pipelines to fail on every run. - This is caused by dependencies such that lack resolution from the developers. Vue developers consider `npm audit` broken design and do not prioritize solutions. Discussions: vuejs/vue-cli#6637, vuejs/vue-cli#6621, vuejs/vue-cli#6555, vuejs/vue-cli#6553, vuejs/vue-cli#6523, vuejs/vue-cli#6486, vuejs/vue-cli#6632. - Development packages are not relevant for the production payload. - False positives create behavior of ignoring them completely instead of taking action, which creates a security vulnerability itself. - Failed tests are shown in a badge on README file, giving wrong picture of security posture of users. `npm audit --omit=dev` is used instead of `npm audit --production` which is deprecated as of npm v8.7.0 npm/cli#4744. This commit also removes exiting with output of `npm audit` command to fix exiting with textual output, leading to failures.

haoqunjiang added priority: next scope: ui labels May 18, 2021

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

vue-cli-ui depends on watch, which has several known security issues and is abandoned. #6486

vue-cli-ui depends on watch, which has several known security issues and is abandoned. #6486

dpash commented May 18, 2021

vue-cli-ui depends on watch, which has several known security issues and is abandoned. #6486

vue-cli-ui depends on watch, which has several known security issues and is abandoned. #6486

Comments

dpash commented May 18, 2021

Version

Reproduction link

Environment info

Steps to reproduce

What is expected?

What is actually happening?