search

vuejs / vue-cli

🛠️ webpack-based tooling for Vue.js Development
https://cli.vuejs.org/
MIT License
29.76k stars 6.33k forks source link

Minimist <=1.2.5 is vulnerable #7078

Closed njomzaav closed 2 years ago

njomzaav commented 2 years ago

Version

5.0.4

Environment info

Environment Info:

  System:
    OS: Windows 10 10.0.18363
    CPU: (12) x64 Intel(R) Core(TM) i7-8850H CPU @ 2.60GHz
  Binaries:
    Node: 16.14.0 - C:\Program Files\nodejs\node.EXE      
    Yarn: Not Found
    npm: 8.5.2 - C:\Program Files\nodejs\npm.CMD
  Browsers:
    Chrome: Not Found
    Edge: Spartan (44.18362.1593.0)
  npmPackages:
    @vue/cli-overlay:  5.0.1 
    @vue/cli-plugin-eslint: ^5.0.1 => 5.0.1 
    @vue/cli-plugin-router: ^5.0.1 => 5.0.1 
    @vue/cli-plugin-typescript: ^5.0.1 => 5.0.1 
    @vue/cli-plugin-unit-jest: ^5.0.1 => 5.0.1 
    @vue/cli-plugin-vuex: ^5.0.1 => 5.0.1 
    @vue/cli-service: ^5.0.1 => 5.0.1 
    @vue/cli-shared-utils:  5.0.1
    @vue/compiler-core:  3.2.31
    @vue/compiler-dom:  3.2.31
    @vue/compiler-sfc: ^3.0.0 => 3.2.31
    @vue/compiler-ssr:  3.2.31
    @vue/component-compiler-utils:  3.3.0
    @vue/devtools-api:  6.0.12
    @vue/eslint-config-prettier: ^6.0.0 => 6.0.0
    @vue/eslint-config-typescript: ^9.1.0 => 9.1.0
    @vue/reactivity:  3.2.31
    @vue/reactivity-transform:  3.2.31
    @vue/runtime-core:  3.2.31
    @vue/runtime-dom:  3.2.31
    @vue/server-renderer:  3.2.31
    @vue/shared:  3.2.31
    @vue/test-utils: ^2.0.0-rc.15 => 2.0.0-rc.17
    @vue/vue3-jest: ^27.0.0-alpha.1 => 27.0.0-alpha.4
    @vue/web-component-wrapper:  1.3.0
    eslint-plugin-vue: ^8.0.3 => 8.5.0
    jest-serializer-vue:  2.0.2
    primevue: ^3.11.1 => 3.12.1
    typescript: ~4.5.5 => 4.5.5
    vue: ^3.2.31 => 3.2.31
    vue-class-component: ^8.0.0-0 => 8.0.0-rc.1
    vue-eslint-parser:  8.3.0
    vue-hot-reload-api:  2.3.4
    vue-loader:  17.0.0 (15.9.8)
    vue-router: ^4.0.12 => 4.0.13
    vue-style-loader:  4.1.3
    vue-template-es2015-compiler:  1.9.1
    vuex: ^4.0.2 => 4.0.2
    vuex-persist: ^3.1.3 => 3.1.3
  npmGlobalPackages:
    @vue/cli: Not Found

Steps to reproduce

Check GitHub security alerts

What is expected?

No vulnerabilities

What is actually happening?

CVE-2021-44906 (high severity) Vulnerable versions: <= 1.2.5 Patched version: 1.2.6 Minimist <=1.2.5 is vulnerable to Prototype Pollution via file index.js, function setKey() (lines 69-95).

Upgrade minimist to version 1.2.6 or later.

lorand-horvath commented 2 years ago

You should manually upgrade minimist devDependency to 1.2.6 in @vue/cli and your existing project/packages. Or simply reinstall @vue/cli globally, that would pull the latest minimist version in, e.g. npm install -g @vue/cli