Closed israeldickson closed 1 week ago
Thank you for reporting, but next time please follow our policy on reporting security issues please: https://github.com/quasarframework/quasar/security/policy#reporting-a-vulnerability
Will release new versions for q/app-vite & q/app-webpack (both current stable & the new betas) later today.
interesting is that this CVE was reported in Oct 2022 and the project is now hitting 😦
Noticed. It's very weird that this has just "come up". Received a notice from Github today too on it.
In any case, I've just released the new versions of q/app-vite & q/app-webpack.
What happened?
npm audit report
html-minifier Severity: high kangax html-minifier REDoS vulnerability - https://github.com/advisories/GHSA-pfq8-rq6v-vf5m No fix available node_modules/html-minifier @quasar/app-vite Depends on vulnerable versions of html-minifier node_modules/@quasar/app-vite
2 high severity vulnerabilities
Some issues need review, and may require choosing a different dependency.
What did you expect to happen?
For quasar not to rely on vulnerable dependencies.
Reproduction URL
https://stackblitz.com/fork/quasarframework
How to reproduce?
Run command 'npm audit report'.
Flavour
Quasar CLI with Vite (@quasar/cli | @quasar/app-vite)
Areas
Quasar CLI Commands/Configuration (@quasar/cli | @quasar/app-webpack | @quasar/app-vite)
Platforms/Browsers
No response
Quasar info output
Relevant log output
No response
Additional context
No response