Standalone vue-devtools depends on vulnerable version of Electron

[bradley-tran]

Vue devtools version

6.5.1

Link to minimal reproduction

https://stackblitz.com/edit/vitejs-vite-hdegy7?file=package.json

Steps to reproduce & screenshots

Open stackblitz terminal and run npm audit

Or on local machine:

• Install standalone vue-devtools: npm install --save-dev @vue/devtools
• Run npm audit

What is expected?

The package should not include known vulnerable dependencies.

What is actually happening?

Running npm audit results in:

❯ npm audit
# npm audit report

electron  <=22.3.24
Severity: high
Depends on vulnerable versions of @electron/get
Electron vulnerable to out-of-package code execution when launched with arbitrary cwd - https://github.com/advisories/GHSA-7x97-j373-85x5
Electron context isolation bypass via nested unserializable return value - https://github.com/advisories/GHSA-p7v2-p9m8-qqg7
Electron affected by libvpx's heap buffer overflow in vp8 encoding - https://github.com/advisories/GHSA-qqvq-6xgj-jw8g
No fix available
node_modules/electron
  @vue/devtools  *
  Depends on vulnerable versions of electron
  node_modules/@vue/devtools

got  <11.8.5
Severity: moderate
Got allows a redirect to a UNIX socket - https://github.com/advisories/GHSA-pfrx-2q88-qq97
No fix available
node_modules/got
  @electron/get  <=1.14.1
  Depends on vulnerable versions of got
  node_modules/@electron/get

4 vulnerabilities (3 moderate, 1 high)

Some issues need review, and may require choosing
a different dependency.

System Info

System:
  OS: Linux 3.10 CentOS Linux 7 (Core)
  CPU: (28) x64 Intel(R) Xeon(R) CPU E5-2683 v3 @ 2.00GHz
  Memory: 11.52 GB / 62.66 GB
  Container: Yes
  Shell: 4.2.46 - /bin/bash
Binaries:
  Node: 16.20.0 - /usr/local/bin/node
  npm: 8.19.4 - /usr/local/bin/npm
npmPackages:
  vue: ^3.3.4 => 3.3.4

Any additional comments?

No response

[yycking]

add overrides to your package.json

"overrides": {
    "electron": "^28.1.0"
  },