search

vuejs / language-tools

⚡ High-performance Vue language tooling based-on Volar.js
https://marketplace.visualstudio.com/items?itemName=Vue.volar
MIT License
5.87k stars 400 forks source link

Dependency on vulnerable version of vue-template-compiler #4610

Closed JuanJoseGonGi closed 3 months ago

JuanJoseGonGi commented 3 months ago

Vue - Official extension or vue-tsc version

vue-tsc

VSCode version

1.91.1

Vue version

2.7

TypeScript version

5.4.2

System Info

System:
    OS: macOS 14.5
    CPU: (8) arm64 Apple M1
    Memory: 49.92 MB / 16.00 GB
    Shell: 3.7.1 - /opt/homebrew/bin/fish
  Binaries:
    Node: 18.18.2 - ~/.asdf/installs/nodejs/18.18.2/bin/node
    npm: 9.8.1 - ~/.asdf/plugins/nodejs/shims/npm
    pnpm: 9.5.0 - /opt/homebrew/bin/pnpm
    bun: 1.0.1 - ~/.bun/bin/bun
  Browsers:
    Chrome: 127.0.6533.72
    Edge: 126.0.2592.113
    Safari: 17.5

Steps to reproduce

Run npm audit on a project with vue-tsc dependency

What is expected?

It should not contain any vulnerability alerts

What is actually happening?

vue-template-compiler vulnerable to client-side Cross-Site Scripting (XSS) - https://github.com/advisories/GHSA-g3ch-rx76-35fx
fix available via npm audit fix
node_modules/vue-template-compiler
  @vue/language-core  *
  Depends on vulnerable versions of vue-template-compiler
  node_modules/@vue/language-core
    @vue/typescript  *
    Depends on vulnerable versions of @vue/language-core
    node_modules/@vue/typescript
      vue-tsc  >=1.7.0-alpha.0
      Depends on vulnerable versions of @vue/language-core
      Depends on vulnerable versions of @vue/typescript
      node_modules/vue-tsc

Link to minimal reproduction

No response

Any additional comments?

client-side Cross-Site Scripting (XSS) on vue-template-compiler - https://github.com/advisories/GHSA-g3ch-rx76-35fx

Plasma commented 3 months ago

The CVE indicates its fixed in 3.0.0 however that is not a version on npm, instead is found at https://www.herodevs.com/support/nes-vue

reesscot commented 3 months ago

Any update on this issue?

leeobrum commented 3 months ago

I have the same problem. Any solution?

aoor9 commented 3 months ago

The CVE indicates its fixed in 3.0.0 however that is not a version on npm, instead is found at https://www.herodevs.com/support/nes-vue

This is ridiculous. What's the point of keeping a dep for an EOL framework? Just let those guy make a parallel project for vue2 and terminate its support on this. (Also, no offense, but I see not only they can't make a public release but they don't even know the difference between a major and a patch).

johnsoncodehk commented 3 months ago

Please update vue-tsc to 2.0.29.