search

quasarframework / quasar

Quasar Framework - Build high-performance VueJS user interfaces in record time
https://quasar.dev
MIT License
25.25k stars 3.43k forks source link

@quasar/app-vite relies on vulnerable package html-minifier #17131

Closed israeldickson closed 1 week ago

israeldickson commented 1 week ago

What happened?

npm audit report

html-minifier Severity: high kangax html-minifier REDoS vulnerability - https://github.com/advisories/GHSA-pfq8-rq6v-vf5m No fix available node_modules/html-minifier @quasar/app-vite Depends on vulnerable versions of html-minifier node_modules/@quasar/app-vite

2 high severity vulnerabilities

Some issues need review, and may require choosing a different dependency.

What did you expect to happen?

For quasar not to rely on vulnerable dependencies.

Reproduction URL

https://stackblitz.com/fork/quasarframework

How to reproduce?

Run command 'npm audit report'.

Flavour

Quasar CLI with Vite (@quasar/cli | @quasar/app-vite)

Areas

Quasar CLI Commands/Configuration (@quasar/cli | @quasar/app-webpack | @quasar/app-vite)

Platforms/Browsers

No response

Quasar info output

Operating System - Windows_NT(10.0.22000) - win32/x64
NodeJs - 18.15.0

Global packages
  NPM - 9.5.0
  yarn - Not installed
  @quasar/cli - 2.4.0
  @quasar/icongenie - Not installed
  cordova - Not installed

Important local packages
  quasar - 2.15.3 -- Build high-performance VueJS user interfaces (SPA, PWA, SSR, Mobile and Desktop) in record time
  @quasar/app-vite - 1.8.2 -- Quasar Framework App CLI with Vite
  @quasar/extras - 1.16.11 -- Quasar Framework fonts, icons and animations
  eslint-plugin-quasar - Not installed
  vue - 3.2.47 -- The progressive JavaScript framework for building modern web UI.
  vue-router - 4.1.6
  pinia - 2.0.33 -- Intuitive, type safe and flexible Store for Vue
  vuex - Not installed
  vite - 2.9.18 -- Native-ESM powered web dev build tool
  eslint - 8.37.0 -- An AST-based pattern checker for JavaScript.
  electron - Not installed
  electron-packager - Not installed
  electron-builder - Not installed
  register-service-worker - 1.7.2 -- Script for registering service worker, with hooks
  @capacitor/core - Not installed
  @capacitor/cli - Not installed
  @capacitor/android - Not installed
  @capacitor/ios - Not installed

Quasar App Extensions
  *None installed*

Relevant log output

No response

Additional context

No response

rstoenescu commented 1 week ago

Thank you for reporting, but next time please follow our policy on reporting security issues please: https://github.com/quasarframework/quasar/security/policy#reporting-a-vulnerability

rstoenescu commented 1 week ago

Will release new versions for q/app-vite & q/app-webpack (both current stable & the new betas) later today.

tinohager commented 1 week ago

interesting is that this CVE was reported in Oct 2022 and the project is now hitting 😦

rstoenescu commented 1 week ago

Noticed. It's very weird that this has just "come up". Received a notice from Github today too on it.

In any case, I've just released the new versions of q/app-vite & q/app-webpack.