Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix High severity vulnerabilities #6976

Closed
inghylt opened this issue Jan 31, 2022 · 10 comments
Closed

Fix High severity vulnerabilities #6976

inghylt opened this issue Jan 31, 2022 · 10 comments

Comments

@inghylt
Copy link

inghylt commented Jan 31, 2022

Version

4.5.15

Environment info

N/A

Steps to reproduce

Run yarn audit

What is expected?

That no vulnerabilities of High severity is found

What is actually happening?

57 vulnerabilities found, 36 Moderate severity, 21 High severity


This is also the case for version v5.0.0-rc.2

@prog-rajkamal
Copy link

@inghylt Can you copy and paste the high severity vulnerabilities here. Npm audit is known to have false positives. and some of them may not be coming from vue cli or even relevant

@inghylt
Copy link
Author

inghylt commented Feb 1, 2022

@prog-rajkamal Sure! Not sure how much details you would like but I have attached a file with the output from yarn audit with only the high severity vulnerabilities. Let me know if that's what you are after or if you need anything else
yarn-audit-high-severity.txt

@prog-rajkamal
Copy link

@inghylt I looked into the issues and there were only 5 unique issues. and they all can be fixed by updating versions.

The problem is that these are all nested dependencies, so a PR needs to be sent to the intermediate dependency, and then vue cli needs to update to higher versions of its dependencies.

Unique issues:

https://www.npmjs.com/advisories/1005154
high Regular expression denial of service
Package glob-parent
Patched in >=5.1.2
Dependency of @vue/cli-plugin-unit-mocha
Path @vue/cli-plugin-unit-mocha > mochapack > glob-parent
More info https://www.npmjs.com/advisories/1005154

https://www.npmjs.com/advisories/1006865
high Exposure of sensitive information in follow-redirects
Package follow-redirects
Patched in >=1.14.7
Dependency of chromedriver
Path chromedriver > axios > follow-redirects
More info https://www.npmjs.com/advisories/1006865

https://www.npmjs.com/advisories/1006883
high Inefficient Regular Expression Complexity in marked
Package marked
Patched in >=4.0.10
Dependency of verdaccio
Path verdaccio > @verdaccio/readme > marked
More info https://www.npmjs.com/advisories/1006883

https://www.npmjs.com/advisories/1006884
high Inefficient Regular Expression Complexity in marked
Package marked
Patched in >=4.0.10
Dependency of verdaccio
Path verdaccio > marked
More info https://www.npmjs.com/advisories/1006884

https://www.npmjs.com/advisories/1006899
high node-fetch is vulnerable to Exposure of Sensitive
Information to an Unauthorized Actor
Package node-fetch
Patched in >=2.6.7
Dependency of verdaccio
Path verdaccio > verdaccio-audit > node-fetch
More info https://www.npmjs.com/advisories/1006899

@inghylt
Copy link
Author

inghylt commented Feb 4, 2022

@prog-rajkamal Yes, seems like that's the case. Do you have the time/possibility to reach out to the intermediate repositories? Seems like verdaccio, chromedriver and mochapack should be sufficient right?

Btw, I also saw in this comment that create-vue is recommended for new projects andpnpm audit does not report any vulnerabilities in this repo so maybe it makes sense to try to make a shift to that. Not sure if that's a task that can be highly prioritized in the current project I'm involved in though. Do you know if it's fairly straightforward to make the change and if create-vue is mature enough for it to make sense?

@tomarie
Copy link

tomarie commented Feb 16, 2022

Hi any expected time for a new official version that includes the fix for follow-redirects ?

@lorand-horvath
Copy link

lorand-horvath commented Feb 17, 2022

Hi any expected time for a new official version that includes the fix for follow-redirects ?

@tomarie Perhaps the freshly released @vue/cli 5 fixed these? Haven't tried yet...

@prog-rajkamal
Copy link

@lorand-horvath thanks for the tip. just checked it. and there is no high severity issue.

@inghylt I ran "yarn audit" on vue cli v5.0.1 and got a single moderate vulnerability (repeated twice, due to two install paths) only:

Hence this issue can be closed

image

@lorand-horvath
Copy link

lorand-horvath commented Feb 17, 2022

@prog-rajkamal The vulnerability is caused by shortid, which has been deprecated for quite some time now, but uses nanoid under the hood anyways https://www.npmjs.com/package/shortid
shortid is deprecated, because the architecture is unsafe. we instead recommend [Nano ID](https://github.com/ai/nanoid/), which has the advantage of also being significantly faster than shortid
So I guess @vue/cli 5 dependencies should be updated to using nanoid directly...

@prog-rajkamal
Copy link

prog-rajkamal commented Feb 17, 2022

@lorand-horvath yeah, since it is patched in version 3.1 directly referrring to nanoid will fix it

@inghylt
Copy link
Author

inghylt commented Feb 18, 2022

@prog-rajkamal Yes it looks like they have all been fixed in v5.0.1! Very nice.
When I run yarn audit on v5.0.1 I actually get 14 vulnerabilities reported but they are all of moderate severity so I will close this issue

@inghylt inghylt closed this as completed Feb 18, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

4 participants