search

vbenjs / vite-plugin-html

A vite plugin for processing html. It is developed based on lodash template
MIT License
584 stars 93 forks source link

Security Vuln? Prototype Pollution in async (in a dependency somewhere) #67

Open maietta opened 2 years ago

maietta commented 2 years ago

See: .

I'm trying to track down just exactly where this error is stemming from as so far, I can't seem to follow this. (Should be clear as day)

NOTE: I see a red flag here in "Will install vite-plugin-html@0.0.1, which is a breaking change". This version number does not reflect anything near the current version of v3.0.6 released Feb 6th.

I installed via npm i vite-plugin-html -D.

# npm audit report

async  <3.2.2
Severity: high
Prototype Pollution in async - https://github.com/advisories/GHSA-fwr7-v2mv-hh25
fix available via `npm audit fix --force`
Will install vite-plugin-html@0.0.1, which is a breaking change
node_modules/async
  jake  >=8.0.1
  Depends on vulnerable versions of async
  node_modules/jake
    ejs  >=3.1.2
    Depends on vulnerable versions of jake
    node_modules/ejs
  node_modules/jake
    ejs  >=3.1.2
    Depends on vulnerable versions of jake
    node_modules/ejs
      vite-plugin-html  >=1.0.0-beta.1
      Depends on vulnerable versions of ejs
      node_modules/vite-plugin-html

Just in case, my packages.json looks like this:

{
  "name": "acme",
  "private": true,
  "version": "0.0.0",
  "scripts": {
    "dev": "vite ",
    "build": "vite build",
    "preview": "vite preview"
  },
  "dependencies": {
    "@vue/compiler-sfc": "^3.2.31",
    "axios": "^0.26.0",
    "facebook-button": "^0.4.0",
    "font-awesome": "^4.7.0",
    "foundation-sites": "^6.7.4",
    "jquery": "^3.6.0",
    "jquery-mask-plugin": "^1.14.16",
    "modernizr": "^3.12.0",
    "motion-ui": "^2.0.3",
    "recaptcha-v3": "^1.10.0",
    "requirejs": "^2.3.6",
    "slick-carousel": "^1.8.1",
    "vite-plugin-banner": "^0.2.0",
    "vite-plugin-html": "^3.2.0",
    "vue": "^3.2.31",
    "vue-button-spinner": "^2.2.1",
    "vue-recaptcha-v3": "^2.0.1",
    "vue-router": "^4.0.13",
    "vue-social-sharing": "^4.0.0-alpha4",
    "vuejs-paginate-next": "^1.0.2",
    "vuex": "^4.0.2",
    "what-input": "^5.2.10"
  },
  "devDependencies": {
    "@vitejs/plugin-vue": "^2.2.0",
    "sass": "^1.49.9",
    "vite": "^2.8.6"
  }
}
maietta commented 2 years ago

Something isn't right here. The version numbers between the NPM repository and Github do not match up.

npm i vite-plugin-html refers to https://www.npmjs.com/package/vite-plugin-html.

On https://www.npmjs.com/package/vite-plugin-html, it refers to this project repo. (https://github.com/vbenjs/vite-plugin-html).

However, the version numbers/releases found here:

https://github.com/vbenjs/vite-plugin-html/releases

Do not match up with with what's found here:

https://www.npmjs.com/package/vite-plugin-html

My packages.json file upon install of the plugin shows starting point of ^3.2.0, which was published on Feb 9th 2022. However in Github, the same commit hash refers to 3.0.6 in the repo.

The hash in question: a4e9163c00b20e5c83cd2bcec42a2926ac2a0bb2

What in the hell is actually going on? Any ideas?