search

qmhc / vite-plugin-dts

A Vite plugin for generating `.d.ts` files.
MIT License
1.29k stars 88 forks source link

Vue vulnerability #355

Closed danLDev closed 2 months ago

danLDev commented 3 months ago

Describe the bug

It seems this plugin is vulnerable to a vue vulnerability, we are using it to compile a react-lib, and not using vue anywhere.

https://github.com/advisories/GHSA-g3ch-rx76-35fx 

 ─────────────────────┬────────────────────────────────────────────────────────┐
│ moderate            │ vue-template-compiler vulnerable to client-side        │
│                     │ Cross-Site Scripting (XSS)                             │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Package             │ vue-template-compiler                                  │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Vulnerable versions │ >=2.0.0 <3.0.0                                         │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Patched versions    │ >=3.0.0                                                │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Paths               │ . > vue-template-compiler@2.7.16                       │
│                     │                                                        │
│                     │ apps/storybook >                                       │
│                     │ @fe-xelix/table@link:../../packages/table >            │
│                     │ @fe-xelix/ui@link:../../packages/ui >                  │
│                     │ vite-plugin-dts@3.9.1 > @vue/language-core@2.0.28 >    │
│                     │ vue-template-compiler@2.7.16                           │
│                     │                                                        │
│                     │ apps/storybook >                                       │
│                     │ @fe-xelix/table@link:../../packages/table >            │
│                     │ @fe-xelix/ui@link:../../packages/ui >                  │
│                     │ vite-plugin-dts@3.9.1 > vue-tsc@2.0.28 >               │
│                     │ @vue/language-core@2.0.28 >                            │
│                     │ vue-template-compiler@2.7.16                           │
│                     │                                                        │
│                     │ ... Found 13 paths, run `pnpm why                      │
│                     │ vue-template-compiler` for more information            │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ More info           │ https://github.com/advisories/GHSA-g3ch-rx76-35fx      │
└─────────────────────┴────────────────────────────────────────────────────────┘

Reproduction

https://github.com/advisories/GHSA-g3ch-rx76-35fx

Steps to reproduce

npm install npm audit

─────────────────────┬────────────────────────────────────────────────────────┐
│ moderate            │ vue-template-compiler vulnerable to client-side        │
│                     │ Cross-Site Scripting (XSS)                             │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Package             │ vue-template-compiler                                  │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Vulnerable versions │ >=2.0.0 <3.0.0                                         │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Patched versions    │ >=3.0.0                                                │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Paths               │ . > vue-template-compiler@2.7.16                       │
│                     │                                                        │
│                     │ apps/storybook >                                       │
│                     │ @fe-xelix/table@link:../../packages/table >            │
│                     │ @fe-xelix/ui@link:../../packages/ui >                  │
│                     │ vite-plugin-dts@3.9.1 > @vue/language-core@2.0.28 >    │
│                     │ vue-template-compiler@2.7.16                           │
│                     │                                                        │
│                     │ apps/storybook >                                       │
│                     │ @fe-xelix/table@link:../../packages/table >            │
│                     │ @fe-xelix/ui@link:../../packages/ui >                  │
│                     │ vite-plugin-dts@3.9.1 > vue-tsc@2.0.28 >               │
│                     │ @vue/language-core@2.0.28 >                            │
│                     │ vue-template-compiler@2.7.16                           │
│                     │                                                        │
│                     │ ... Found 13 paths, run `pnpm why                      │
│                     │ vue-template-compiler` for more information            │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ More info           │ https://github.com/advisories/GHSA-g3ch-rx76-35fx      │
└─────────────────────┴────────────────────────────────────────────────────────┘

System Info

System:
    OS: macOS 14.2
    CPU: (8) arm64 Apple M3
    Memory: 94.66 MB / 16.00 GB
    Shell: 5.9 - /bin/zsh
  Binaries:
    Node: 20.9.0 - ~/.nvm/versions/node/v20.9.0/bin/node
    Yarn: 1.22.22 - ~/.nvm/versions/node/v20.9.0/bin/yarn
    npm: 10.1.0 - ~/.nvm/versions/node/v20.9.0/bin/npm
    pnpm: 8.15.6 - ~/.nvm/versions/node/v20.9.0/bin/pnpm
    bun: 1.1.3 - ~/.bun/bin/bun
  Browsers:
    Chrome: 126.0.6478.183
    Safari: 17.2

Validations

lcharette commented 3 months ago

FYI, vue-tsc has been updated to fix this : https://github.com/vuejs/language-tools/issues/4610#issuecomment-2249800743

Please update vue-tsc to 2.0.29.

EDIT:

I can confirm using @vue/language-core@2.0.29 & vue-tsc@2.0.29 fix the issue : 

 "dependencies": {
    "@microsoft/api-extractor": "7.47.2",
    "@rollup/pluginutils": "^5.1.0",
    "@volar/typescript": "^2.3.4",
    "@vue/language-core": "2.0.29",
    "debug": "^4.3.5",
    "kolorist": "^1.8.0",
    "magic-string": "^0.30.10",
    "vue-tsc": "2.0.29"
  },

Unfortunalty I'm not sure I can submit a PR as main branch is already on 4.x...

danLDev commented 2 months ago

@qmhc Is this fix also going to be released to v3.. ? Ideally we'd like to resolve asap rather than wait for a major release as it's flagging up in our audit pipelines

qmhc commented 2 months ago

@danLDev There are many breaking changes form Volar 1 to 2, so I thing we should update the major version when upgrading Volar.

The official v4 will be released in the next week.

lcharette commented 2 months ago

Does upgrading to v4 of this package will require a lot of manual fixes?

If it's a simple version bump, it's probably fine (and should probably be a minor update version according to semver). However for bigger projects upgrading to v4 might not be an option if the upgrade process introduces breaking changes.

Such a simple fix (updating a dependency version) should be easily patched in a patch upgrade / security release for the current version. This is not possible by the current structure of this repo (no v3 branch available for PR submission).