search

NativeScript / nativescript-dev-webpack

A package to help with webpacking NativeScript apps.
Apache License 2.0
97 stars 49 forks source link

Security issues #1150

Open senner007 opened 3 years ago

senner007 commented 3 years ago

Issue

Hi :)

I have the below added security issues with nativescript-dev-webpack.

Environment

"dependencies": { "nativescript-dev-webpack": "1.5.1" }

npm audit security report

Run npm update terser-webpack-plugin --depth 3 to resolve 2 vulnerabilities

Moderate Cross-Site Scripting

Package serialize-javascript

Dependency of nativescript-dev-webpack [dev]

Path nativescript-dev-webpack > webpack > terser-webpack-plugin >
serialize-javascript
* More info https://npmjs.com/advisories/1426

High Remote Code Execution

Package serialize-javascript

Dependency of nativescript-dev-webpack [dev]

Path nativescript-dev-webpack > webpack > terser-webpack-plugin >
serialize-javascript

More info https://npmjs.com/advisories/1548 

                             Manual Review                                  
         Some vulnerabilities require your attention to resolve             

      Visit https://go.npm.me/audit-guide for additional guidance

Moderate Out-of-bounds Read

Package atob

Patched in >=2.1.0

Dependency of nativescript-dev-webpack [dev]

Path nativescript-dev-webpack > css > source-map-resolve > atob

More info https://npmjs.com/advisories/646

Moderate Cross-Site Scripting

Package serialize-javascript

Patched in >=2.1.1

Dependency of nativescript-dev-webpack [dev]

Path nativescript-dev-webpack > copy-webpack-plugin >
serialize-javascript

More info https://npmjs.com/advisories/1426

Moderate Cross-Site Scripting

Package serialize-javascript

Patched in >=2.1.1

Dependency of nativescript-dev-webpack [dev]

Path nativescript-dev-webpack > terser-webpack-plugin >
serialize-javascript

More info https://npmjs.com/advisories/1426

High Remote Code Execution

Package serialize-javascript

Patched in >=3.1.0

Dependency of nativescript-dev-webpack [dev]

Path nativescript-dev-webpack > copy-webpack-plugin >
serialize-javascript

More info https://npmjs.com/advisories/1548

High Remote Code Execution

Package serialize-javascript

Patched in >=3.1.0

Dependency of nativescript-dev-webpack [dev]

Path nativescript-dev-webpack > terser-webpack-plugin >
serialize-javascript

More info https://npmjs.com/advisories/1548

Low Prototype Pollution

Package yargs-parser

Patched in >=13.1.2 <14.0.0 || >=15.0.1 <16.0.0 || >=18.1.2

Dependency of nativescript-dev-webpack [dev]

Path nativescript-dev-webpack > webpack-cli > yargs >
yargs-parser

More info https://npmjs.com/advisories/1500

High Prototype Pollution

Package object-path

Patched in >=0.11.5

Dependency of nativescript-dev-webpack [dev]

Path nativescript-dev-webpack > resolve-url-loader > adjust-sourcemap-loader > object-path

More info https://npmjs.com/advisories/1573**