Open mister-teddy opened 3 years ago
ssri
: transitive dependency from webpack
4, requires a cacache
v12 patch, see: https://github.com/npm/cacache/issues/42#issuecomment-756316569is-svg
: transitive dependency from cssnano
4, requires a postcss-svgo
patch, see https://github.com/cssnano/cssnano/pull/1023#issuecomment-806397809Update:
The is-svg
dependency does not expose the projects to any real threats, and it is not likely to be updated any time soon. See https://github.com/cssnano/cssnano/issues/1019#issuecomment-802182732
Hello everyone, thank you for the great works!
What is the current status of this issue? It's now considered high severity
by Dependency Bot
As said earlier, they are upstream issues, there's nothing we can do here. Besides, they do not expose the users of Vue CLI to any real threats, it's safe to ignore them.
They're considered vulnerabilities because if you use these package versions in your Node.js web server, and process user inputs with them, your server might get compromised.
But that's not the use case of Vue CLI, which is a developer tool.
Thank you for the helpful information @sodatea 👍 We've turned off the vulnerable warning alerts
for now
@sodatea The @vue/cli-service
package directly depends on version 7 of ssri
. For version 5 (which is currently in beta) it was bumped to version 8, per https://github.com/vuejs/vue-cli/commit/473eab2d786aa54b7ab816003df6fbfee79852e9.
It looks like the update did not have that much impact, so maybe it can be backported to version 4 of the cli-service?
Version
4.5.9
Reproduction link
https://github.com/upstage-org/mobilise
Environment info
Steps to reproduce
There is no step at all, everything was fine until Github dependency bot discover these vulnerable a few days ago, see attachment below:
What is expected?
No warning from Github's dependency bot
What is actually happening?
Dependency bot is warning about vulnerable inside these indirect dependency: ssri and is-svg
ssri
andis-svg
is not our direct dependency, after inspecting the yarn.lock we discover that it was peer dependency of @vue/cli-service