vuejs / vue-cli

🛠️ webpack-based tooling for Vue.js Development
https://cli.vuejs.org/
MIT License
29.76k stars 6.33k forks source link

Dependency Bot warning about vulnerable dependencies: `ssri` and `is-svg` #6375

Open mister-teddy opened 3 years ago

mister-teddy commented 3 years ago

Version

4.5.9

Reproduction link

https://github.com/upstage-org/mobilise

Environment info

Environment Info:

  System:
    OS: macOS 11.2.1
    CPU: (8) x64 Intel(R) Core(TM) i5-1030NG7 CPU @ 1.10GHz
  Binaries:
    Node: 15.6.0 - /usr/local/bin/node
    Yarn: 1.22.10 - /usr/local/bin/yarn
    npm: 7.4.0 - /usr/local/bin/npm
  Browsers:
    Chrome: 89.0.4389.90
    Edge: Not Found
    Firefox: 86.0.1
    Safari: 14.0.3
  npmPackages:
    @vue/babel-helper-vue-jsx-merge-props:  1.2.1 
    @vue/babel-helper-vue-transform-on:  1.0.0-rc.2 
    @vue/babel-plugin-jsx:  1.0.0-rc.5 
    @vue/babel-plugin-transform-vue-jsx:  1.2.1 
    @vue/babel-preset-app:  4.5.9 
    @vue/babel-preset-jsx:  1.2.4 
    @vue/babel-sugar-composition-api-inject-h:  1.2.1 
    @vue/babel-sugar-composition-api-render-instance:  1.2.4 
    @vue/babel-sugar-functional-vue:  1.2.2 
    @vue/babel-sugar-inject-h:  1.2.2 
    @vue/babel-sugar-v-model:  1.2.3 
    @vue/babel-sugar-v-on:  1.2.3 
    @vue/cli-overlay:  4.5.9 
    @vue/cli-plugin-babel: ~4.5.0 => 4.5.9 
    @vue/cli-plugin-eslint: ~4.5.0 => 4.5.9 
    @vue/cli-plugin-pwa: ~4.5.0 => 4.5.10 
    @vue/cli-plugin-router: ~4.5.0 => 4.5.9 
    @vue/cli-plugin-vuex: ~4.5.0 => 4.5.9 
    @vue/cli-service: ~4.5.0 => 4.5.9 
    @vue/cli-shared-utils:  4.5.9 (4.5.10)
    @vue/compiler-core:  3.0.4 (3.0.7)
    @vue/compiler-dom:  3.0.4 (3.0.7)
    @vue/compiler-sfc: ^3.0.0 => 3.0.4 
    @vue/compiler-ssr:  3.0.4 
    @vue/component-compiler-utils:  3.2.0 
    @vue/preload-webpack-plugin:  1.1.2 
    @vue/reactivity:  3.0.7 
    @vue/runtime-core:  3.0.7 
    @vue/runtime-dom:  3.0.7 
    @vue/shared:  3.0.7 (3.0.4)
    @vue/web-component-wrapper:  1.2.0 
    eslint-plugin-vue: ^7.7.0 => 7.7.0 
    vue: ^3.0.7 => 3.0.7 
    vue-eslint-parser:  7.6.0 
    vue-hot-reload-api:  2.3.4 
    vue-loader:  15.9.6 (16.1.2)
    vue-router: ^4.0.0-0 => 4.0.1 
    vue-style-loader:  4.1.2 
    vue-template-es2015-compiler:  1.9.1 
    vue3-draggable-resizable: ^1.6.0 => 1.6.0 
    vuex: ^4.0.0-0 => 4.0.0-rc.2 
    vuex-persistedstate: ^4.0.0-beta.1 => 4.0.0-beta.1 
  npmGlobalPackages:
    @vue/cli: Not Found

Steps to reproduce

There is no step at all, everything was fine until Github dependency bot discover these vulnerable a few days ago, see attachment below:

Screenshot 2021-03-24 at 21 19 15

What is expected?

No warning from Github's dependency bot

What is actually happening?

Dependency bot is warning about vulnerable inside these indirect dependency: ssri and is-svg


ssri and is-svg is not our direct dependency, after inspecting the yarn.lock we discover that it was peer dependency of @vue/cli-service

haoqunjiang commented 3 years ago

Update: The is-svg dependency does not expose the projects to any real threats, and it is not likely to be updated any time soon. See https://github.com/cssnano/cssnano/issues/1019#issuecomment-802182732

mister-teddy commented 3 years ago

Hello everyone, thank you for the great works!

What is the current status of this issue? It's now considered high severity by Dependency Bot

Screenshot 2021-04-10 at 22 25 31
haoqunjiang commented 3 years ago

As said earlier, they are upstream issues, there's nothing we can do here. Besides, they do not expose the users of Vue CLI to any real threats, it's safe to ignore them.

They're considered vulnerabilities because if you use these package versions in your Node.js web server, and process user inputs with them, your server might get compromised.

But that's not the use case of Vue CLI, which is a developer tool.

mister-teddy commented 3 years ago

Thank you for the helpful information @sodatea 👍 We've turned off the vulnerable warning alerts for now

bobvandevijver commented 3 years ago

@sodatea The @vue/cli-service package directly depends on version 7 of ssri. For version 5 (which is currently in beta) it was bumped to version 8, per https://github.com/vuejs/vue-cli/commit/473eab2d786aa54b7ab816003df6fbfee79852e9.

It looks like the update did not have that much impact, so maybe it can be backported to version 4 of the cli-service?