search

aklinker1 / vite-plugin-web-extension

Vite plugin for developing Chrome/Web Extensions
https://vite-plugin-web-extension.aklinker1.io/
MIT License
606 stars 52 forks source link

Severe vulnerability with version of `web-ext-run` #196

Closed akshatamohanty closed 3 months ago

akshatamohanty commented 3 months ago

Summary

Running npm audit brings up this warning - 

ws  8.0.0 - 8.17.0
Severity: high
ws affected by a DoS when handling a request with many HTTP headers - https://github.com/advisories/GHSA-3h5v-q93c-6h6q
fix available via `npm audit fix --force`
Will install vite-plugin-web-extension@3.2.0, which is a breaking change
node_modules/ws
  web-ext-run  *
  Depends on vulnerable versions of ws
  node_modules/web-ext-run
    vite-plugin-web-extension  >=4.0.0-alpha1
    Depends on vulnerable versions of web-ext-run
    node_modules/vite-plugin-web-extension

Environment

  System:
    OS: macOS 13.2
    CPU: (8) arm64 Apple M2
    Memory: 115.08 MB / 16.00 GB
    Shell: 5.8.1 - /bin/zsh
  Binaries:
    Node: 21.7.3 - /opt/homebrew/bin/node
    Yarn: 1.22.19 - ~/.nvm/versions/node/v16.16.0/bin/yarn
    npm: 10.5.0 - /opt/homebrew/bin/npm
  Browsers:
    Chrome: 126.0.6478.127
    Safari: 16.3
  npmPackages:
    vite: ^5.3.3 => 5.3.3 
    vite-plugin-web-extension: ^4.1.4 => 4.1.4
aklinker1 commented 3 months ago

I've been aware of this for a few weeks now, GitHub is reporting it as well.

This report doesn't effect web-ext's use case, it only affects production servers, so I've been slow to update my fork.

But I will update it soon, thanks for the report!