search

Macil / browserify-hmr

Hot Module Replacement plugin for Browserify
MIT License
374 stars 26 forks source link

npm install - vulnerability warning (0.3.7) #43

Closed spacejack closed 4 years ago

spacejack commented 5 years ago 
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High          │ Missing Origin Validation                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ browserify-hmr                                               │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ No patch available                                           │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ browserify-hmr [dev]                                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ browserify-hmr                                               │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/726                             │
└───────────────┴──────────────────────────────────────────────────────────────┘

Link to the issue: https://npmjs.com/advisories/726

I'm not sure what other hot-reloading libraries do to prevent this. Is there a fix/mitigation that can be implemented or can NPM be asked to change their warning?

I still find this library really useful and enjoy the stability and simplicity of the browserify toolchain!

jeremija commented 4 years ago

Hi @spacejack, have you found a solution?

This is most likely related to #41

I found this post in Chinese. The gifs and code ex are helpful to understand the issue. And Google Translate helps.

I've also found a commit in webpack-dev-server which adds a check for origin:

https://github.com/webpack/webpack-dev-server/commit/f18e5adf123221a1015be63e1ca2491ca45b8d10#commitcomment-31816791