npm High severity vulnerability from webpack-dev-server

vuejs / vue-cli

🛠️ webpack-based tooling for Vue.js Development

https://cli.vuejs.org/

MIT License

29.75k stars 6.33k forks source link

npm High severity vulnerability from webpack-dev-server #3223

Closed Sceat closed 5 years ago

Sceat commented 5 years ago

Version

3.2.2

Environment info

Unknown command info. ¯\_(ツ)_/¯

Steps to reproduce

npm update

What is expected?

to run without problems

What is actually happening?

danzlarkin commented 5 years ago

For more details on the issue see: https://github.com/webpack/webpack-dev-server/issues/1604 https://github.com/webpack/webpack-dev-server/issues/1615

The issue is related to some changes required to be done in sockjs (see https://github.com/sockjs/sockjs-node/pull/247)

For a temporary workaround put this in your 'devServer' property in webpack.config.js (or your webpack config file)

disableHostCheck: true

haoqunjiang commented 5 years ago

See https://github.com/vuejs/vue-cli/blob/0fc972ed1a9929e7b4bb6daa251e3a610f92d215/packages/%40vue/cli-service/package.json#L71

Already fixed.

danzlarkin commented 5 years ago

See

vue-cli/packages/@vue/cli-service/package.json

Line 71 in 0fc972e

"webpack-dev-server": "^3.1.14", Already fixed.

Yes, I noticed this earlier, but there seems to still be a bug occurring for some users of this package (see https://github.com/webpack/webpack-dev-server/issues/1604)

I have also checked my local package and it is 3.1.14, so maybe this is a problem with NPM's audit tool rather?

usercao commented 5 years ago

vue-cli/packages/@vue/cli-service/package.json

Overview

Versions of webpack-dev-server before 3.1.6 are missing origin validation on the websocket server. This vulnerability allows a remote attacker to steal a developer's source code because the origin of requests to the websocket server that is used for Hot Module Replacement (HMR) are not validated.

Remediation

Update to version 3.1.6 or later.

iainbeeston commented 5 years ago

@usercao I'm trying to follow what's going on here - can you tell me where you found those "Overview" and "Remediation" snippets? So far as I can see the latest release of webpack-dev-server is 3.1.14 (there's no 3.1.16 on npm right now):

> npm view webpack-dev-server versions

[ '0.6.0',
  '0.6.1',
  '0.6.2',
  #...
  '3.1.0',
  '3.1.1',
  '3.1.2',
  '3.1.3',
  '3.1.4',
  '3.1.5',
  '3.1.6',
  '3.1.7',
  '3.1.8',
  '3.1.9',
  '3.1.10',
  '3.1.11',
  '3.1.12',
  '3.1.13',
  '3.1.14' ]

usercao commented 5 years ago

@iainbeeston when I install @vue/cli@3.2.2,I saw the Remediation in this link https://www.npmjs.com/advisories/725,until the version of 3.1.14,this bug still persist,I don't know what happend.

iainbeeston commented 5 years ago

Thanks @usercao that's interesting... The same page also lists 3.1.14 as affected on the "Versions" tab, even though the advisory from npm audit says 3.1.14 is fixed.